Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
daw21.exe

Overview

General Information

Sample name:daw21.exe
Analysis ID:1579701
MD5:08d493bfdfa30242a5846dbdef4c1948
SHA1:f543aa3ad55c4b4fe176bc610c6d90ff278a8b2f
SHA256:7dccfe6b2eab06663f0b7dac8406252f4bf222fff85dc75c356be422dab0f46e
Tags:exeStealCuser-lontze7
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
One or more processes crash
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • daw21.exe (PID: 5256 cmdline: "C:\Users\user\Desktop\daw21.exe" MD5: 08D493BFDFA30242A5846DBDEF4C1948)
    • WerFault.exe (PID: 940 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 1388 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "https:/135.181.65.216/ee45b7c5e4cb75cb.php"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
daw21.exeJoeSecurity_StealcYara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
            00000000.00000000.2038269918.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
              Click to see the 5 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.daw21.exe.dd0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
                0.2.daw21.exe.dd0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-23T07:59:13.802979+010020287653Unknown Traffic192.168.2.549704135.181.65.216443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: daw21.exeAvira: detected
                  Found malware configuration
                  Source: daw21.exe.5256.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "https:/135.181.65.216/ee45b7c5e4cb75cb.php"}
                  Multi AV Scanner detection for submitted file
                  Source: daw21.exeReversingLabs: Detection: 57%
                  Source: daw21.exeVirustotal: Detection: 56%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: daw21.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: INSERT_KEY_HERE
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: 01
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: 03
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: 20
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: 25
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetProcAddress
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: LoadLibraryA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: lstrcatA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: OpenEventA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: CreateEventA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: CloseHandle
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Sleep
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetUserDefaultLangID
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: VirtualAllocExNuma
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: VirtualFree
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetSystemInfo
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: VirtualAlloc
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: HeapAlloc
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetComputerNameA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: lstrcpyA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetProcessHeap
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetCurrentProcess
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: lstrlenA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: ExitProcess
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GlobalMemoryStatusEx
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetSystemTime
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: SystemTimeToFileTime
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: advapi32.dll
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: gdi32.dll
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: user32.dll
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: crypt32.dll
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetUserNameA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: CreateDCA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetDeviceCaps
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: ReleaseDC
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: CryptStringToBinaryA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: sscanf
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: VMwareVMware
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: HAL9TH
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: JohnDoe
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: DISPLAY
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: %hu/%hu/%hu
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: https://135.181.65.216
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: /ee45b7c5e4cb75cb.php
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: /4a21a126be249f0d/
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: valenciga
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetEnvironmentVariableA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetFileAttributesA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: HeapFree
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetFileSize
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GlobalSize
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: CreateToolhelp32Snapshot
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: IsWow64Process
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Process32Next
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetLocalTime
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: FreeLibrary
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetTimeZoneInformation
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetSystemPowerStatus
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetVolumeInformationA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetWindowsDirectoryA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Process32First
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetLocaleInfoA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetUserDefaultLocaleName
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetModuleFileNameA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: DeleteFileA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: FindNextFileA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: LocalFree
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: FindClose
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: SetEnvironmentVariableA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: LocalAlloc
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetFileSizeEx
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: ReadFile
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: SetFilePointer
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: WriteFile
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: CreateFileA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: FindFirstFileA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: CopyFileA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: VirtualProtect
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetLogicalProcessorInformationEx
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetLastError
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: lstrcpynA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: MultiByteToWideChar
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GlobalFree
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: WideCharToMultiByte
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GlobalAlloc
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: OpenProcess
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: TerminateProcess
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetCurrentProcessId
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: gdiplus.dll
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: ole32.dll
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: bcrypt.dll
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: wininet.dll
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: shlwapi.dll
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: shell32.dll
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: rstrtmgr.dll
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: CreateCompatibleBitmap
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: SelectObject
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: BitBlt
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: DeleteObject
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: CreateCompatibleDC
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GdipGetImageEncodersSize
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GdipGetImageEncoders
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GdipCreateBitmapFromHBITMAP
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GdiplusStartup
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GdiplusShutdown
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GdipSaveImageToStream
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GdipDisposeImage
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GdipFree
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetHGlobalFromStream
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: CreateStreamOnHGlobal
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: CoUninitialize
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: CoInitialize
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: CoCreateInstance
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: BCryptGenerateSymmetricKey
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: BCryptCloseAlgorithmProvider
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: BCryptDecrypt
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: BCryptSetProperty
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: BCryptDestroyKey
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: BCryptOpenAlgorithmProvider
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetWindowRect
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetDesktopWindow
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetDC
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: CloseWindow
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: wsprintfA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: EnumDisplayDevicesA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetKeyboardLayoutList
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: CharToOemW
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: wsprintfW
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: RegQueryValueExA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: RegEnumKeyExA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: RegOpenKeyExA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: RegCloseKey
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: RegEnumValueA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: CryptBinaryToStringA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: CryptUnprotectData
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: SHGetFolderPathA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: ShellExecuteExA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: InternetOpenUrlA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: InternetConnectA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: InternetCloseHandle
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: HttpSendRequestA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: HttpOpenRequestA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: InternetReadFile
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: InternetCrackUrlA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: StrCmpCA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: StrStrA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: StrCmpCW
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: PathMatchSpecA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: GetModuleFileNameExA
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: RmStartSession
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: RmRegisterResources
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: RmGetList
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: RmEndSession
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: sqlite3_open
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: sqlite3_prepare_v2
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: sqlite3_step
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: sqlite3_column_text
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: sqlite3_finalize
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: sqlite3_close
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: sqlite3_column_bytes
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: sqlite3_column_blob
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: encrypted_key
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: PATH
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: C:\ProgramData\nss3.dll
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: NSS_Init
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: NSS_Shutdown
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: PK11_GetInternalKeySlot
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: PK11_FreeSlot
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: PK11_Authenticate
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: PK11SDR_Decrypt
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: C:\ProgramData\
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: SELECT origin_url, username_value, password_value FROM logins
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: browser:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: profile:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: url:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: login:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: password:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Opera
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: OperaGX
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Network
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: cookies
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: .txt
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: TRUE
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: FALSE
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: autofill
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: history
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: SELECT url FROM urls LIMIT 1000
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: cc
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: name:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: month:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: year:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: card:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Cookies
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Login Data
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Web Data
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: History
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: logins.json
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: formSubmitURL
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: usernameField
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: encryptedUsername
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: encryptedPassword
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: guid
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: SELECT fieldname, value FROM moz_formhistory
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: SELECT url FROM moz_places LIMIT 1000
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: cookies.sqlite
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: formhistory.sqlite
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: places.sqlite
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: plugins
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Local Extension Settings
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Sync Extension Settings
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: IndexedDB
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Opera Stable
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Opera GX Stable
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: CURRENT
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: chrome-extension_
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: _0.indexeddb.leveldb
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Local State
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: profiles.ini
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: chrome
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: opera
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: firefox
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: wallets
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: %08lX%04lX%lu
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: ProductName
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: x32
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: x64
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: %d/%d/%d %d:%d:%d
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: DisplayName
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: DisplayVersion
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Network Info:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: - IP: IP?
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: - Country: ISO?
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: System Summary:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: - HWID:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: - OS:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: - Architecture:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: - UserName:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: - Computer Name:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: - Local Time:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: - UTC:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: - Language:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: - Keyboards:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: - Laptop:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: - Running Path:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: - CPU:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: - Threads:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: - Cores:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: - RAM:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: - Display Resolution:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: - GPU:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: User Agents:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Installed Apps:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: All Users:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Current User:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Process List:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: system_info.txt
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: freebl3.dll
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: mozglue.dll
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: msvcp140.dll
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: nss3.dll
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: softokn3.dll
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: vcruntime140.dll
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: \Temp\
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: .exe
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: runas
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: open
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: /c start
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: %DESKTOP%
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: %APPDATA%
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: %LOCALAPPDATA%
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: %USERPROFILE%
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: %DOCUMENTS%
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: %PROGRAMFILES_86%
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: %RECENT%
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: *.lnk
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: files
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: \discord\
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: \Local Storage\leveldb\CURRENT
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: \Local Storage\leveldb
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: \Telegram Desktop\
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: key_datas
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: D877F783D5D3EF8C*
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: map*
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: A7FDF864FBC10B77*
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: A92DAA6EA6F891F2*
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: F8806DD0C461824F*
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Telegram
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Tox
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: *.tox
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: *.ini
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Password
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: 00000001
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: 00000002
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: 00000003
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: 00000004
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: \Outlook\accounts.txt
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Pidgin
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: \.purple\
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: accounts.xml
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: dQw4w9WgXcQ
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: token:
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Software\Valve\Steam
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: SteamPath
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: \config\
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: ssfn*
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: config.vdf
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: DialogConfig.vdf
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: DialogConfigOverlay*.vdf
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: libraryfolders.vdf
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: loginusers.vdf
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: \Steam\
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: sqlite3.dll
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: done
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: soft
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: \Discord\tokens.txt
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: /c timeout /t 5 & del /f /q "
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: " & del "C:\ProgramData\*.dll"" & exit
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: C:\Windows\system32\cmd.exe
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: https
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: POST
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: HTTP/1.1
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: Content-Disposition: form-data; name="
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: hwid
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: build
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: token
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: file_name
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: file
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: message
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                  Source: 0.0.daw21.exe.dd0000.0.unpackString decryptor: screenshot.jpg
                  Source: C:\Users\user\Desktop\daw21.exeCode function: 0_2_00DD4B80 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,0_2_00DD4B80
                  Source: C:\Users\user\Desktop\daw21.exeCode function: 0_2_00DD7690 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00DD7690
                  Source: C:\Users\user\Desktop\daw21.exeCode function: 0_2_00DF4090 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,0_2_00DF4090
                  Source: C:\Users\user\Desktop\daw21.exeCode function: 0_2_00DD6000 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,0_2_00DD6000
                  Source: C:\Users\user\Desktop\daw21.exeCode function: 0_2_00DD9BE0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,0_2_00DD9BE0
                  Source: C:\Users\user\Desktop\daw21.exeCode function: 0_2_00DD9B80 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00DD9B80
                  Source: daw21.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: daw21.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: https:/135.181.65.216/ee45b7c5e4cb75cb.php
                  Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49704 -> 135.181.65.216:443
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: C:\Users\user\Desktop\daw21.exeCode function: 0_2_00DD56C0 lstrcpy,lstrlenA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,memcpy,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00DD56C0
                  Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
                  Source: daw21.exe, 00000000.00000002.2621310462.0000000000B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://135.181.65.216
                  Source: daw21.exe, 00000000.00000002.2621310462.0000000000B7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://135.181.65.216/
                  Source: daw21.exe, 00000000.00000002.2621310462.0000000000B7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://135.181.65.216/405117-2476756634-1003
                  Source: daw21.exe, 00000000.00000002.2621310462.0000000000B7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://135.181.65.216/E
                  Source: daw21.exe, 00000000.00000002.2621310462.0000000000B2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://135.181.65.216/m-
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                  Source: C:\Users\user\Desktop\daw21.exeCode function: 0_2_00DD97A0 memset,memset,lstrcatA,lstrcatA,lstrcatA,memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcatA,lstrcatA,lstrcatA,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlenA,wsprintfA,lstrcpy,memset,CreateProcessA,Sleep,CloseDesktop,0_2_00DD97A0
                  Source: C:\Users\user\Desktop\daw21.exeCode function: String function: 00DD4980 appears 316 times
                  Source: C:\Users\user\Desktop\daw21.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 1388
                  Source: daw21.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@2/5@0/1
                  Source: C:\Users\user\Desktop\daw21.exeCode function: 0_2_00DF46C0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_00DF46C0
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5256
                  Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\fbc4675a-4122-4d42-970c-84b519be0ce2Jump to behavior
                  Source: daw21.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\daw21.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: daw21.exeReversingLabs: Detection: 57%
                  Source: daw21.exeVirustotal: Detection: 56%
                  Source: unknownProcess created: C:\Users\user\Desktop\daw21.exe "C:\Users\user\Desktop\daw21.exe"
                  Source: C:\Users\user\Desktop\daw21.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 1388
                  Source: C:\Users\user\Desktop\daw21.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                  Source: daw21.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: C:\Users\user\Desktop\daw21.exeCode function: 0_2_00DF63C0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00DF63C0
                  Source: C:\Users\user\Desktop\daw21.exeCode function: 0_2_00DF63C0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00DF63C0
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-6079
                  Source: Amcache.hve.5.drBinary or memory string: VMware
                  Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: daw21.exe, 00000000.00000002.2621310462.0000000000B8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWs
                  Source: daw21.exe, 00000000.00000002.2621310462.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, daw21.exe, 00000000.00000002.2621310462.0000000000B8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.5.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.5.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.5.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: daw21.exe, 00000000.00000002.2621310462.0000000000B2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                  Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Users\user\Desktop\daw21.exeAPI call chain: ExitProcess graph end nodegraph_0-6496
                  Source: C:\Users\user\Desktop\daw21.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeCode function: 0_2_00DD4980 VirtualProtect 00000000,00000004,00000100,?0_2_00DD4980
                  Source: C:\Users\user\Desktop\daw21.exeCode function: 0_2_00DF63C0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00DF63C0
                  Source: C:\Users\user\Desktop\daw21.exeCode function: 0_2_00DF63C0 mov eax, dword ptr fs:[00000030h]0_2_00DF63C0
                  Source: C:\Users\user\Desktop\daw21.exeCode function: 0_2_00DD56C0 lstrcpy,lstrlenA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,memcpy,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00DD56C0
                  Source: C:\Users\user\Desktop\daw21.exeMemory protected: page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: Process Memory Space: daw21.exe PID: 5256, type: MEMORYSTR
                  Searches for specific processes (likely to inject)
                  Source: C:\Users\user\Desktop\daw21.exeCode function: 0_2_00DF46C0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_00DF46C0
                  Source: C:\Users\user\Desktop\daw21.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\daw21.exeCode function: 0_2_00DF3E10 lstrcpy,lstrcpy,GetSystemTime,0_2_00DF3E10
                  Source: C:\Users\user\Desktop\daw21.exeCode function: 0_2_00DF29E0 GetProcessHeap,HeapAlloc,GetUserNameA,0_2_00DF29E0
                  Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Stealc
                  Source: Yara matchFile source: daw21.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.daw21.exe.dd0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.daw21.exe.dd0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.2038269918.0000000000DFB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2621310462.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: daw21.exe PID: 5256, type: MEMORYSTR
                  Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Stealc
                  Source: Yara matchFile source: daw21.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.daw21.exe.dd0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.daw21.exe.dd0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.2038269918.0000000000DFB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2621310462.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: daw21.exe PID: 5256, type: MEMORYSTR
                  Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                  Native API                  		1
                  Create Account                  		11
                  Process Injection                  		1
                  Virtualization/Sandbox Evasion                  		OS Credential Dumping1
                  System Time Discovery                  		Remote ServicesData from Local System12
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		LSASS Memory31
                  Security Software Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                  Process Injection                  		Security Account Manager1
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive11
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Deobfuscate/Decode Files or Information                  		NTDS12
                  Process Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Obfuscated Files or Information                  		LSA Secrets1
                  Account Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials1
                  System Owner/User Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync22
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  daw21.exe58%ReversingLabsWin32.Trojan.StealC
                  daw21.exe56%VirustotalBrowse
                  daw21.exe100%AviraTR/Crypt.ZPACK.Gen
                  daw21.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https:/135.181.65.216/ee45b7c5e4cb75cb.phptrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://135.181.65.216/405117-2476756634-1003daw21.exe, 00000000.00000002.2621310462.0000000000B7C000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://upx.sf.netAmcache.hve.5.drfalse
                        		high
                        https://135.181.65.216/Edaw21.exe, 00000000.00000002.2621310462.0000000000B7C000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://135.181.65.216/m-daw21.exe, 00000000.00000002.2621310462.0000000000B2E000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://135.181.65.216/daw21.exe, 00000000.00000002.2621310462.0000000000B7C000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://135.181.65.216daw21.exe, 00000000.00000002.2621310462.0000000000B2E000.00000004.00000020.00020000.00000000.sdmptrue
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                135.181.65.216
                                		unknownGermany
                                		24940HETZNER-ASDEtrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1579701
                                Start date and time:2024-12-23 07:58:17 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 4m 18s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:8
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:daw21.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@2/5@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 92%
                                • Number of executed functions: 17
                                • Number of non-executed functions: 42
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 20.189.173.20, 13.107.246.63, 20.109.210.53, 40.126.53.12
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                02:00:06API Interceptor1x Sleep call for process: WerFault.exe modified

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                HETZNER-ASDEgVKsiQIHqe.exeGet hashmaliciousVidarBrowse
                                • 94.130.188.57
                                trZG6pItZj.exeGet hashmaliciousVidarBrowse
                                • 94.130.188.57
                                9EI7wrGs4K.exeGet hashmaliciousVidarBrowse
                                • 94.130.188.57
                                AmsterdamCryptoLTD.exeGet hashmaliciousLummaC, DarkComet, LummaC Stealer, VidarBrowse
                                • 94.130.188.57
                                Loader.exeGet hashmaliciousRHADAMANTHYSBrowse
                                • 213.239.239.164
                                GoldenContinent.exeGet hashmaliciousVidarBrowse
                                • 94.130.188.57
                                https://cpanel05wh.bkk1.cloud.z.com/~cp197720/open/DD/Get hashmaliciousHTMLPhisherBrowse
                                • 135.181.58.223
                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                • 94.130.188.57
                                https://gogvo.com/redir.php?url=https://atratejarat.com/wp-content/red/DhmgvVGet hashmaliciousUnknownBrowse
                                • 136.243.5.53
                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                • 94.130.188.57

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_daw21.exe_2c487d58c69cb0e118b9a9eeb0a7207e9965bed0_a4ef3901_87578f33-870a-4c2d-8de0-32f2624e2657\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.9489641572063066
                                Encrypted:false
                                SSDEEP:192:LUF+3wxu0BU/AjvYZrRtwzuiFUZ24IO8EwV:4F+3wxVBU/AjeCzuiFUY4IO8EwV
                                MD5:438F3D43FA5C7E32D41C263E2E51297C
                                SHA1:E5FC39CD08ACEB17B934C5582D49DF3ADBD19047
                                SHA-256:5E5B7A275EB22684E23924E2C6B7F689FE21114C92EBE6DA7474D1B37DCEDB86
                                SHA-512:AD22CB94AD6062E458C99853637FB3754D78D00E8FDE59879760650E92BE953DEEC090F432D35ABADE5A6D8BF553C73FD89D5176F398667B4D4F56316C06B43C
                                Malicious:true
                                Reputation:low
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.4.1.0.7.7.2.4.9.3.2.2.5.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.4.1.0.7.7.3.3.5.2.6.0.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.7.5.7.8.f.3.3.-.8.7.0.a.-.4.c.2.d.-.8.d.e.0.-.3.2.f.2.6.2.4.e.2.6.5.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.e.4.0.e.2.e.-.5.7.1.a.-.4.7.8.1.-.b.d.7.e.-.7.e.5.e.c.8.6.3.9.9.1.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.a.w.2.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.8.8.-.0.0.0.1.-.0.0.1.4.-.2.6.c.9.-.b.7.2.9.0.8.5.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.9.9.8.4.3.7.e.7.9.c.6.8.e.3.b.9.7.9.c.3.1.8.6.e.8.1.5.4.e.5.5.0.0.0.0.f.f.f.f.!.0.0.0.0.f.5.4.3.a.a.3.a.d.5.5.c.4.b.4.f.e.1.7.6.b.c.6.1.0.c.6.d.9.0.f.f.2.7.8.a.8.b.2.f.!.d.a.w.2.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC60B.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Mon Dec 23 06:59:32 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):121090
                                Entropy (8bit):1.5889177336125118
                                Encrypted:false
                                SSDEEP:384:BzBQqeE1iz5rSx8O04/P7ZOMnFSMMD6cM6dwqk:1KqeE1iVvuNOMFQ6cR
                                MD5:7D3C4736EEC3B7485385B5546A4360EA
                                SHA1:76257C1782C8C718218924AE3850B0554201ACE1
                                SHA-256:53B672E9DCE76C1B65E255E7EA9311423E839694538F9E5F42CAFBABED26C832
                                SHA-512:894D3811CACAF5A3EBB85856D6CFC3BFE658F5A5ECD3AA20D345F92C689E8DE0D4CF5B88F94B009ECDEA093F6388C1D0C6AB8FBF04382D9AB0236FE1DF4AE75C
                                Malicious:false
                                Reputation:low
                                Preview:MDMP..a..... .......T.ig.........................................B..........T.......8...........T............6..j.......................................................................................................eJ......\ ......GenuineIntel............T...........<.ig.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC725.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8326
                                Entropy (8bit):3.6998370740910076
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJkn6O9CC6YEIBSU9GegmfM65prB89b35sfCg29m:R6lXJM6O9CC6YE+SU9GegmfM6q3SfCgt
                                MD5:71614711D124185C6BA44DABD6528D34
                                SHA1:9B7ABF8E4A8BACB1594CC69722BF2083D1A18E2B
                                SHA-256:BF3B9CB9B5283287B09740AEEF2904B4144DE523BD95170FF5A627EA972B1C78
                                SHA-512:BF6E7B825091ADADB9796D6E514BA908789C49551223CE81931C26A9ACC1D5B3E8FA7C89FD5E171E40D53182D83D740F86D1793D968D43ED01DD0F066E34A0B0
                                Malicious:false
                                Reputation:low
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.5.6.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC784.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4558
                                Entropy (8bit):4.442725259921341
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zsnAtJg77aI9x4F/WpW8VY2YYm8M4J7NeF5+q85+d1Y/Rd:uIjfnGI7g07VhJ7gkK1Y/Rd
                                MD5:0455CD1E170B68BA40757A6461C282AA
                                SHA1:46777FB8B4FE8DD4B92D3101E633424113A4EFAA
                                SHA-256:792777555BA513D5D0B08CEDB6BD11BD3387EBAD2A5A132F56BAC50EBD8772E7
                                SHA-512:5A9C66A732EFA76F475BDD5CB185C3824E25208F4E54D41DAC5B5E9C87351704D948AF9C644A07DD3AAAB5CEA83CB6121FBBF50699CB2AC909E304ED5BEF9648
                                Malicious:false
                                Reputation:low
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="643562" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\Windows\appcompat\Programs\Amcache.hve

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:MS Windows registry file, NT/2000 or above
                                Category:dropped
                                Size (bytes):1835008
                                Entropy (8bit):4.421334128150206
                                Encrypted:false
                                SSDEEP:6144:TSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNd0uhiTw:evloTMW+EZMM6DFy703w
                                MD5:CE92C583E25316A9C3665582170BE305
                                SHA1:2E15C35F61A6FE5D296DDE5B3548F745AD38B37B
                                SHA-256:9F0E9358881DDFF3737667888CF20767636CCF7E6C2C4F0AE39EE5153E6FB531
                                SHA-512:B434F14379E1B05B506843D1001141BD9253EF02ABA85EC02AA75CFE3C493ED66552D0926F5FA908A2E6B45F47AD9C636A19E7B380A26A7BCF9DE1308226C4C6
                                Malicious:false
                                Reputation:low
                                Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm6..7.U..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):6.574581381719375
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:daw21.exe
                                File size:245'760 bytes
                                MD5:08d493bfdfa30242a5846dbdef4c1948
                                SHA1:f543aa3ad55c4b4fe176bc610c6d90ff278a8b2f
                                SHA256:7dccfe6b2eab06663f0b7dac8406252f4bf222fff85dc75c356be422dab0f46e
                                SHA512:8bd248437528fa40cd23fa3240c2378c701c4ede8278ce4ec9bf7e55483c176c42b222ed90bae8252008602de212126cdba69d298de5387ff10a9b319dcb6047
                                SSDEEP:3072:shv0eu6ZJlctXwLISyqlsxfKPkAck1gD1l567pGDUJ42EnTC2RReHeP3KqX+n:eMeNRFLIu5ckeHgFGD+jsC2zeot+
                                TLSH:F8341925EF40443FEE12867CD6B963D5B22669A46312D8D333CC25198DF40E32D7E6AB
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d...d...d.....s.|.....F.i.....r.^...m.[.g...m.K.b.......g...d.........w.w.....E.e...Richd...........PE..L....6hg...........

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x421bd0
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Time Stamp:0x67683602 [Sun Dec 22 15:53:38 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:d071ac95ea1d6b0ed6ec53017449901f

                                Entrypoint Preview

                                Instruction
                                push ebp
                                mov ebp, esp
                                sub esp, 34h
                                push ebx
                                push esi
                                push edi
                                call 00007F257C7DFD07h
                                call 00007F257C803722h
                                xor ebx, ebx
                                cmp byte ptr [0042D014h], bl
                                je 00007F257C7FEF4Fh
                                lea ecx, dword ptr [ecx+00h]
                                inc ebx
                                cmp byte ptr [ebx+0042D014h], 00000000h
                                jne 00007F257C7FEF38h
                                lea eax, dword ptr [ebx+01h]
                                call 00007F257C7DFB83h
                                mov dword ptr [ebp-10h], eax
                                test eax, eax
                                je 00007F257C7FEF4Eh
                                push 0042D014h
                                push eax
                                call dword ptr [00639134h]
                                call dword ptr [006390E4h]
                                movzx eax, ax
                                add eax, FFFFFBE7h
                                cmp eax, 2Ah
                                jnbe 00007F257C7FEF58h
                                movzx eax, byte ptr [eax+00421E54h]
                                jmp dword ptr [00421E4Ch+eax*4]
                                push 00000000h
                                call dword ptr [0063901Ch]
                                call 00007F257C7FFD72h
                                mov ecx, dword ptr [00638D40h]
                                call 00007F257C8010A7h
                                test eax, eax
                                jne 00007F257C7FEF5Dh
                                call 00007F257C7FFCCEh
                                mov ecx, dword ptr [00638E1Ch]
                                call 00007F257C801093h
                                test eax, eax
                                jne 00007F257C7FEF49h
                                push eax
                                call dword ptr [0063901Ch]
                                mov edi, dword ptr [00638D40h]
                                push edi
                                call dword ptr [00638FACh]
                                lea esi, dword ptr [ebx+eax]
                                lea eax, dword ptr [esi+01h]
                                call 00007F257C7DFB00h
                                mov ebx, eax
                                mov dword ptr [ebp-34h], ebx
                                test ebx, ebx
                                je 00007F257C7FEF5Dh
                                mov eax, dword ptr [ebp-10h]
                                test eax, eax
                                je 00007F257C7FEF56h
                                test edi, edi

                                Rich Headers

                                Programming Language:
                                • [C++] VS2010 build 30319
                                • [ASM] VS2010 build 30319
                                • [ C ] VS2010 build 30319
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [LNK] VS2010 build 30319

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x3664c0x3c.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x24a0000x3c7c.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x104.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x2951a0x29600b4874e90ee0ee483a541371023527a0fFalse0.40295742069486407data6.3775660830573315IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x2b0000xbbac0xbc007385cc66718c659bfcf4179908561ee1False0.5965134640957447OpenPGP Secret Key6.670254113234216IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x370000x212bec0xc00f7d82f3649bd5266c892c8c1b457e92bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .reloc0x24a0000x5d000x5e003aaf8fa46dd3fc3e2cea297379ccf4c1False0.5251828457446809data5.249844058590275IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Imports

                                DLLImport
                                msvcrt.dllrand, strncpy, ??_V@YAXPAX@Z, strtok, memchr, strtok_s, ??_U@YAPAXI@Z, strcpy_s, vsprintf_s, memmove, strlen, malloc, free, memcmp, ??2@YAPAXI@Z, memset, memcpy, __CxxFrameHandler3, _except_handler3
                                KERNEL32.dllInitializeCriticalSectionAndSpinCount, GetStringTypeW, MultiByteToWideChar, LCMapStringW, IsValidCodePage, GetOEMCP, GetACP, lstrlenA, HeapAlloc, GetProcessHeap, VirtualProtect, CreateProcessA, lstrcatA, VirtualQueryEx, OpenProcess, ReadProcessMemory, WriteFile, GetCPInfo, WideCharToMultiByte, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, DecodePointer, TerminateProcess, GetCurrentProcess, LeaveCriticalSection, EnterCriticalSection, RtlUnwind, GetProcAddress, GetModuleHandleW, ExitProcess, Sleep, GetStdHandle, GetModuleFileNameW, GetLastError, LoadLibraryW, TlsGetValue, TlsSetValue, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, RaiseException

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-12-23T07:59:13.802979+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.549704135.181.65.216443TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Dec 23, 2024 07:59:09.092545986 CET49704443192.168.2.5135.181.65.216
                                Dec 23, 2024 07:59:09.092575073 CET44349704135.181.65.216192.168.2.5
                                Dec 23, 2024 07:59:09.096487999 CET49704443192.168.2.5135.181.65.216
                                Dec 23, 2024 07:59:09.110738039 CET49704443192.168.2.5135.181.65.216
                                Dec 23, 2024 07:59:09.110759020 CET44349704135.181.65.216192.168.2.5
                                Dec 23, 2024 07:59:13.802838087 CET44349704135.181.65.216192.168.2.5
                                Dec 23, 2024 07:59:13.802978992 CET49704443192.168.2.5135.181.65.216
                                Dec 23, 2024 07:59:13.806602955 CET49704443192.168.2.5135.181.65.216
                                Dec 23, 2024 07:59:13.806623936 CET44349704135.181.65.216192.168.2.5
                                Dec 23, 2024 07:59:13.829894066 CET49705443192.168.2.5135.181.65.216
                                Dec 23, 2024 07:59:13.829948902 CET44349705135.181.65.216192.168.2.5
                                Dec 23, 2024 07:59:13.830092907 CET49705443192.168.2.5135.181.65.216
                                Dec 23, 2024 07:59:13.830262899 CET49705443192.168.2.5135.181.65.216
                                Dec 23, 2024 07:59:13.830279112 CET44349705135.181.65.216192.168.2.5
                                Dec 23, 2024 07:59:18.523478985 CET44349705135.181.65.216192.168.2.5
                                Dec 23, 2024 07:59:18.523647070 CET49705443192.168.2.5135.181.65.216
                                Dec 23, 2024 07:59:18.524873972 CET49705443192.168.2.5135.181.65.216
                                Dec 23, 2024 07:59:18.524895906 CET44349705135.181.65.216192.168.2.5
                                Dec 23, 2024 07:59:18.525799990 CET49706443192.168.2.5135.181.65.216
                                Dec 23, 2024 07:59:18.525850058 CET44349706135.181.65.216192.168.2.5
                                Dec 23, 2024 07:59:18.525938988 CET49706443192.168.2.5135.181.65.216
                                Dec 23, 2024 07:59:18.526151896 CET49706443192.168.2.5135.181.65.216
                                Dec 23, 2024 07:59:18.526186943 CET44349706135.181.65.216192.168.2.5
                                Dec 23, 2024 07:59:18.526246071 CET49706443192.168.2.5135.181.65.216

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:01:59:08
                                Start date:23/12/2024
                                Path:C:\Users\user\Desktop\daw21.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\daw21.exe"
                                Imagebase:0xdd0000
                                File size:245'760 bytes
                                MD5 hash:08D493BFDFA30242A5846DBDEF4C1948
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000000.2038269918.0000000000DFB000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2621310462.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:5
                                Start time:01:59:32
                                Start date:23/12/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 1388
                                Imagebase:0x1000000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:19.1%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:24.9%
                                  Total number of Nodes:1315
                                  Total number of Limit Nodes:38
                                  execution_graph 5279 dd2d90 5912 dd4980 17 API calls 5279->5912 5281 dd2da2 5282 dd4980 34 API calls 5281->5282 5283 dd2dc0 5282->5283 5284 dd4980 34 API calls 5283->5284 5285 dd2dd5 5284->5285 5286 dd4980 34 API calls 5285->5286 5287 dd2dea 5286->5287 5288 dd4980 34 API calls 5287->5288 5289 dd2e0b 5288->5289 5290 dd4980 34 API calls 5289->5290 5291 dd2e20 5290->5291 5292 dd4980 34 API calls 5291->5292 5293 dd2e38 5292->5293 5294 dd4980 34 API calls 5293->5294 5295 dd2e59 5294->5295 5296 dd4980 34 API calls 5295->5296 5297 dd2e6e 5296->5297 5298 dd4980 34 API calls 5297->5298 5299 dd2e84 5298->5299 5300 dd4980 34 API calls 5299->5300 5301 dd2e9a 5300->5301 5302 dd4980 34 API calls 5301->5302 5303 dd2eb0 5302->5303 5304 dd4980 34 API calls 5303->5304 5305 dd2ec9 5304->5305 5306 dd4980 34 API calls 5305->5306 5307 dd2edf 5306->5307 5308 dd4980 34 API calls 5307->5308 5309 dd2ef5 5308->5309 5310 dd4980 34 API calls 5309->5310 5311 dd2f0b 5310->5311 5312 dd4980 34 API calls 5311->5312 5313 dd2f21 5312->5313 5314 dd4980 34 API calls 5313->5314 5315 dd2f37 5314->5315 5316 dd4980 34 API calls 5315->5316 5317 dd2f50 5316->5317 5318 dd4980 34 API calls 5317->5318 5319 dd2f66 5318->5319 5320 dd4980 34 API calls 5319->5320 5321 dd2f7c 5320->5321 5322 dd4980 34 API calls 5321->5322 5323 dd2f92 5322->5323 5324 dd4980 34 API calls 5323->5324 5325 dd2fa8 5324->5325 5326 dd4980 34 API calls 5325->5326 5327 dd2fbe 5326->5327 5328 dd4980 34 API calls 5327->5328 5329 dd2fd7 5328->5329 5330 dd4980 34 API calls 5329->5330 5331 dd2fed 5330->5331 5332 dd4980 34 API calls 5331->5332 5333 dd3003 5332->5333 5334 dd4980 34 API calls 5333->5334 5335 dd3019 5334->5335 5336 dd4980 34 API calls 5335->5336 5337 dd302f 5336->5337 5338 dd4980 34 API calls 5337->5338 5339 dd3045 5338->5339 5340 dd4980 34 API calls 5339->5340 5341 dd305e 5340->5341 5342 dd4980 34 API calls 5341->5342 5343 dd3074 5342->5343 5344 dd4980 34 API calls 5343->5344 5345 dd308a 5344->5345 5346 dd4980 34 API calls 5345->5346 5347 dd30a0 5346->5347 5348 dd4980 34 API calls 5347->5348 5349 dd30b6 5348->5349 5350 dd4980 34 API calls 5349->5350 5351 dd30cc 5350->5351 5352 dd4980 34 API calls 5351->5352 5353 dd30e5 5352->5353 5354 dd4980 34 API calls 5353->5354 5355 dd30fb 5354->5355 5356 dd4980 34 API calls 5355->5356 5357 dd3111 5356->5357 5358 dd4980 34 API calls 5357->5358 5359 dd3127 5358->5359 5360 dd4980 34 API calls 5359->5360 5361 dd313d 5360->5361 5362 dd4980 34 API calls 5361->5362 5363 dd3153 5362->5363 5364 dd4980 34 API calls 5363->5364 5365 dd316c 5364->5365 5366 dd4980 34 API calls 5365->5366 5367 dd3182 5366->5367 5368 dd4980 34 API calls 5367->5368 5369 dd3198 5368->5369 5370 dd4980 34 API calls 5369->5370 5371 dd31ae 5370->5371 5372 dd4980 34 API calls 5371->5372 5373 dd31c4 5372->5373 5374 dd4980 34 API calls 5373->5374 5375 dd31da 5374->5375 5376 dd4980 34 API calls 5375->5376 5377 dd31f3 5376->5377 5378 dd4980 34 API calls 5377->5378 5379 dd3209 5378->5379 5380 dd4980 34 API calls 5379->5380 5381 dd321f 5380->5381 5382 dd4980 34 API calls 5381->5382 5383 dd3235 5382->5383 5384 dd4980 34 API calls 5383->5384 5385 dd324b 5384->5385 5386 dd4980 34 API calls 5385->5386 5387 dd3261 5386->5387 5388 dd4980 34 API calls 5387->5388 5389 dd327a 5388->5389 5390 dd4980 34 API calls 5389->5390 5391 dd3290 5390->5391 5392 dd4980 34 API calls 5391->5392 5393 dd32a6 5392->5393 5394 dd4980 34 API calls 5393->5394 5395 dd32bc 5394->5395 5396 dd4980 34 API calls 5395->5396 5397 dd32d2 5396->5397 5398 dd4980 34 API calls 5397->5398 5399 dd32e8 5398->5399 5400 dd4980 34 API calls 5399->5400 5401 dd3301 5400->5401 5402 dd4980 34 API calls 5401->5402 5403 dd3317 5402->5403 5404 dd4980 34 API calls 5403->5404 5405 dd332d 5404->5405 5406 dd4980 34 API calls 5405->5406 5407 dd3343 5406->5407 5408 dd4980 34 API calls 5407->5408 5409 dd3359 5408->5409 5410 dd4980 34 API calls 5409->5410 5411 dd336f 5410->5411 5412 dd4980 34 API calls 5411->5412 5413 dd3388 5412->5413 5414 dd4980 34 API calls 5413->5414 5415 dd339e 5414->5415 5416 dd4980 34 API calls 5415->5416 5417 dd33b4 5416->5417 5418 dd4980 34 API calls 5417->5418 5419 dd33ca 5418->5419 5420 dd4980 34 API calls 5419->5420 5421 dd33e0 5420->5421 5422 dd4980 34 API calls 5421->5422 5423 dd33f6 5422->5423 5424 dd4980 34 API calls 5423->5424 5425 dd340f 5424->5425 5426 dd4980 34 API calls 5425->5426 5427 dd3425 5426->5427 5428 dd4980 34 API calls 5427->5428 5429 dd343b 5428->5429 5430 dd4980 34 API calls 5429->5430 5431 dd3451 5430->5431 5432 dd4980 34 API calls 5431->5432 5433 dd3467 5432->5433 5434 dd4980 34 API calls 5433->5434 5435 dd347d 5434->5435 5436 dd4980 34 API calls 5435->5436 5437 dd3496 5436->5437 5438 dd4980 34 API calls 5437->5438 5439 dd34ac 5438->5439 5440 dd4980 34 API calls 5439->5440 5441 dd34c2 5440->5441 5442 dd4980 34 API calls 5441->5442 5443 dd34d8 5442->5443 5444 dd4980 34 API calls 5443->5444 5445 dd34ee 5444->5445 5446 dd4980 34 API calls 5445->5446 5447 dd3504 5446->5447 5448 dd4980 34 API calls 5447->5448 5449 dd351d 5448->5449 5450 dd4980 34 API calls 5449->5450 5451 dd3533 5450->5451 5452 dd4980 34 API calls 5451->5452 5453 dd3549 5452->5453 5454 dd4980 34 API calls 5453->5454 5455 dd355f 5454->5455 5456 dd4980 34 API calls 5455->5456 5457 dd3575 5456->5457 5458 dd4980 34 API calls 5457->5458 5459 dd358b 5458->5459 5460 dd4980 34 API calls 5459->5460 5461 dd35a4 5460->5461 5462 dd4980 34 API calls 5461->5462 5463 dd35ba 5462->5463 5464 dd4980 34 API calls 5463->5464 5465 dd35d0 5464->5465 5466 dd4980 34 API calls 5465->5466 5467 dd35e6 5466->5467 5468 dd4980 34 API calls 5467->5468 5469 dd35fc 5468->5469 5470 dd4980 34 API calls 5469->5470 5471 dd3612 5470->5471 5472 dd4980 34 API calls 5471->5472 5473 dd362b 5472->5473 5474 dd4980 34 API calls 5473->5474 5475 dd3641 5474->5475 5476 dd4980 34 API calls 5475->5476 5477 dd3657 5476->5477 5478 dd4980 34 API calls 5477->5478 5479 dd366d 5478->5479 5480 dd4980 34 API calls 5479->5480 5481 dd3683 5480->5481 5482 dd4980 34 API calls 5481->5482 5483 dd3699 5482->5483 5484 dd4980 34 API calls 5483->5484 5485 dd36b2 5484->5485 5486 dd4980 34 API calls 5485->5486 5487 dd36c8 5486->5487 5488 dd4980 34 API calls 5487->5488 5489 dd36de 5488->5489 5490 dd4980 34 API calls 5489->5490 5491 dd36f4 5490->5491 5492 dd4980 34 API calls 5491->5492 5493 dd370a 5492->5493 5494 dd4980 34 API calls 5493->5494 5495 dd3720 5494->5495 5496 dd4980 34 API calls 5495->5496 5497 dd3739 5496->5497 5498 dd4980 34 API calls 5497->5498 5499 dd374f 5498->5499 5500 dd4980 34 API calls 5499->5500 5501 dd3765 5500->5501 5502 dd4980 34 API calls 5501->5502 5503 dd377b 5502->5503 5504 dd4980 34 API calls 5503->5504 5505 dd3791 5504->5505 5506 dd4980 34 API calls 5505->5506 5507 dd37a7 5506->5507 5508 dd4980 34 API calls 5507->5508 5509 dd37c0 5508->5509 5510 dd4980 34 API calls 5509->5510 5511 dd37d6 5510->5511 5512 dd4980 34 API calls 5511->5512 5513 dd37ec 5512->5513 5514 dd4980 34 API calls 5513->5514 5515 dd3802 5514->5515 5516 dd4980 34 API calls 5515->5516 5517 dd3818 5516->5517 5518 dd4980 34 API calls 5517->5518 5519 dd382e 5518->5519 5520 dd4980 34 API calls 5519->5520 5521 dd3847 5520->5521 5522 dd4980 34 API calls 5521->5522 5523 dd385d 5522->5523 5524 dd4980 34 API calls 5523->5524 5525 dd3873 5524->5525 5526 dd4980 34 API calls 5525->5526 5527 dd3889 5526->5527 5528 dd4980 34 API calls 5527->5528 5529 dd389f 5528->5529 5530 dd4980 34 API calls 5529->5530 5531 dd38b5 5530->5531 5532 dd4980 34 API calls 5531->5532 5533 dd38ce 5532->5533 5534 dd4980 34 API calls 5533->5534 5535 dd38e4 5534->5535 5536 dd4980 34 API calls 5535->5536 5537 dd38fa 5536->5537 5538 dd4980 34 API calls 5537->5538 5539 dd3910 5538->5539 5540 dd4980 34 API calls 5539->5540 5541 dd3926 5540->5541 5542 dd4980 34 API calls 5541->5542 5543 dd393c 5542->5543 5544 dd4980 34 API calls 5543->5544 5545 dd3955 5544->5545 5546 dd4980 34 API calls 5545->5546 5547 dd396b 5546->5547 5548 dd4980 34 API calls 5547->5548 5549 dd3981 5548->5549 5550 dd4980 34 API calls 5549->5550 5551 dd3997 5550->5551 5552 dd4980 34 API calls 5551->5552 5553 dd39ad 5552->5553 5554 dd4980 34 API calls 5553->5554 5555 dd39c3 5554->5555 5556 dd4980 34 API calls 5555->5556 5557 dd39dc 5556->5557 5558 dd4980 34 API calls 5557->5558 5559 dd39f2 5558->5559 5560 dd4980 34 API calls 5559->5560 5561 dd3a08 5560->5561 5562 dd4980 34 API calls 5561->5562 5563 dd3a1e 5562->5563 5564 dd4980 34 API calls 5563->5564 5565 dd3a34 5564->5565 5566 dd4980 34 API calls 5565->5566 5567 dd3a4a 5566->5567 5568 dd4980 34 API calls 5567->5568 5569 dd3a63 5568->5569 5570 dd4980 34 API calls 5569->5570 5571 dd3a79 5570->5571 5572 dd4980 34 API calls 5571->5572 5573 dd3a8f 5572->5573 5574 dd4980 34 API calls 5573->5574 5575 dd3aa5 5574->5575 5576 dd4980 34 API calls 5575->5576 5577 dd3abb 5576->5577 5578 dd4980 34 API calls 5577->5578 5579 dd3ad1 5578->5579 5580 dd4980 34 API calls 5579->5580 5581 dd3aea 5580->5581 5582 dd4980 34 API calls 5581->5582 5583 dd3b00 5582->5583 5584 dd4980 34 API calls 5583->5584 5585 dd3b16 5584->5585 5586 dd4980 34 API calls 5585->5586 5587 dd3b2c 5586->5587 5588 dd4980 34 API calls 5587->5588 5589 dd3b42 5588->5589 5590 dd4980 34 API calls 5589->5590 5591 dd3b58 5590->5591 5592 dd4980 34 API calls 5591->5592 5593 dd3b71 5592->5593 5594 dd4980 34 API calls 5593->5594 5595 dd3b87 5594->5595 5596 dd4980 34 API calls 5595->5596 5597 dd3b9d 5596->5597 5598 dd4980 34 API calls 5597->5598 5599 dd3bb3 5598->5599 5600 dd4980 34 API calls 5599->5600 5601 dd3bc9 5600->5601 5602 dd4980 34 API calls 5601->5602 5603 dd3bdf 5602->5603 5604 dd4980 34 API calls 5603->5604 5605 dd3bf8 5604->5605 5606 dd4980 34 API calls 5605->5606 5607 dd3c0e 5606->5607 5608 dd4980 34 API calls 5607->5608 5609 dd3c24 5608->5609 5610 dd4980 34 API calls 5609->5610 5611 dd3c3a 5610->5611 5612 dd4980 34 API calls 5611->5612 5613 dd3c50 5612->5613 5614 dd4980 34 API calls 5613->5614 5615 dd3c66 5614->5615 5616 dd4980 34 API calls 5615->5616 5617 dd3c7f 5616->5617 5618 dd4980 34 API calls 5617->5618 5619 dd3c95 5618->5619 5620 dd4980 34 API calls 5619->5620 5621 dd3cab 5620->5621 5622 dd4980 34 API calls 5621->5622 5623 dd3cc1 5622->5623 5624 dd4980 34 API calls 5623->5624 5625 dd3cd7 5624->5625 5626 dd4980 34 API calls 5625->5626 5627 dd3ced 5626->5627 5628 dd4980 34 API calls 5627->5628 5629 dd3d06 5628->5629 5630 dd4980 34 API calls 5629->5630 5631 dd3d1c 5630->5631 5632 dd4980 34 API calls 5631->5632 5633 dd3d32 5632->5633 5634 dd4980 34 API calls 5633->5634 5635 dd3d48 5634->5635 5636 dd4980 34 API calls 5635->5636 5637 dd3d5e 5636->5637 5638 dd4980 34 API calls 5637->5638 5639 dd3d74 5638->5639 5640 dd4980 34 API calls 5639->5640 5641 dd3d8d 5640->5641 5642 dd4980 34 API calls 5641->5642 5643 dd3da3 5642->5643 5644 dd4980 34 API calls 5643->5644 5645 dd3db9 5644->5645 5646 dd4980 34 API calls 5645->5646 5647 dd3dcf 5646->5647 5648 dd4980 34 API calls 5647->5648 5649 dd3de5 5648->5649 5650 dd4980 34 API calls 5649->5650 5651 dd3dfb 5650->5651 5652 dd4980 34 API calls 5651->5652 5653 dd3e14 5652->5653 5654 dd4980 34 API calls 5653->5654 5655 dd3e2a 5654->5655 5656 dd4980 34 API calls 5655->5656 5657 dd3e40 5656->5657 5658 dd4980 34 API calls 5657->5658 5659 dd3e56 5658->5659 5660 dd4980 34 API calls 5659->5660 5661 dd3e6c 5660->5661 5662 dd4980 34 API calls 5661->5662 5663 dd3e82 5662->5663 5664 dd4980 34 API calls 5663->5664 5665 dd3e9b 5664->5665 5666 dd4980 34 API calls 5665->5666 5667 dd3eb1 5666->5667 5668 dd4980 34 API calls 5667->5668 5669 dd3ec7 5668->5669 5670 dd4980 34 API calls 5669->5670 5671 dd3edd 5670->5671 5672 dd4980 34 API calls 5671->5672 5673 dd3ef3 5672->5673 5674 dd4980 34 API calls 5673->5674 5675 dd3f09 5674->5675 5676 dd4980 34 API calls 5675->5676 5677 dd3f22 5676->5677 5678 dd4980 34 API calls 5677->5678 5679 dd3f38 5678->5679 5680 dd4980 34 API calls 5679->5680 5681 dd3f4e 5680->5681 5682 dd4980 34 API calls 5681->5682 5683 dd3f64 5682->5683 5684 dd4980 34 API calls 5683->5684 5685 dd3f7a 5684->5685 5686 dd4980 34 API calls 5685->5686 5687 dd3f90 5686->5687 5688 dd4980 34 API calls 5687->5688 5689 dd3fa9 5688->5689 5690 dd4980 34 API calls 5689->5690 5691 dd3fbf 5690->5691 5692 dd4980 34 API calls 5691->5692 5693 dd3fd5 5692->5693 5694 dd4980 34 API calls 5693->5694 5695 dd3feb 5694->5695 5696 dd4980 34 API calls 5695->5696 5697 dd4001 5696->5697 5698 dd4980 34 API calls 5697->5698 5699 dd4017 5698->5699 5700 dd4980 34 API calls 5699->5700 5701 dd4030 5700->5701 5702 dd4980 34 API calls 5701->5702 5703 dd4046 5702->5703 5704 dd4980 34 API calls 5703->5704 5705 dd405c 5704->5705 5706 dd4980 34 API calls 5705->5706 5707 dd4072 5706->5707 5708 dd4980 34 API calls 5707->5708 5709 dd4088 5708->5709 5710 dd4980 34 API calls 5709->5710 5711 dd409e 5710->5711 5712 dd4980 34 API calls 5711->5712 5713 dd40b7 5712->5713 5714 dd4980 34 API calls 5713->5714 5715 dd40cd 5714->5715 5716 dd4980 34 API calls 5715->5716 5717 dd40e3 5716->5717 5718 dd4980 34 API calls 5717->5718 5719 dd40f9 5718->5719 5720 dd4980 34 API calls 5719->5720 5721 dd410f 5720->5721 5722 dd4980 34 API calls 5721->5722 5723 dd4125 5722->5723 5724 dd4980 34 API calls 5723->5724 5725 dd413e 5724->5725 5726 dd4980 34 API calls 5725->5726 5727 dd4154 5726->5727 5728 dd4980 34 API calls 5727->5728 5729 dd416a 5728->5729 5730 dd4980 34 API calls 5729->5730 5731 dd4180 5730->5731 5732 dd4980 34 API calls 5731->5732 5733 dd4196 5732->5733 5734 dd4980 34 API calls 5733->5734 5735 dd41ac 5734->5735 5736 dd4980 34 API calls 5735->5736 5737 dd41c5 5736->5737 5738 dd4980 34 API calls 5737->5738 5739 dd41db 5738->5739 5740 dd4980 34 API calls 5739->5740 5741 dd41f1 5740->5741 5742 dd4980 34 API calls 5741->5742 5743 dd4207 5742->5743 5744 dd4980 34 API calls 5743->5744 5745 dd421d 5744->5745 5746 dd4980 34 API calls 5745->5746 5747 dd4233 5746->5747 5748 dd4980 34 API calls 5747->5748 5749 dd424c 5748->5749 5750 dd4980 34 API calls 5749->5750 5751 dd4262 5750->5751 5752 dd4980 34 API calls 5751->5752 5753 dd4278 5752->5753 5754 dd4980 34 API calls 5753->5754 5755 dd428e 5754->5755 5756 dd4980 34 API calls 5755->5756 5757 dd42a4 5756->5757 5758 dd4980 34 API calls 5757->5758 5759 dd42ba 5758->5759 5760 dd4980 34 API calls 5759->5760 5761 dd42d3 5760->5761 5762 dd4980 34 API calls 5761->5762 5763 dd42e9 5762->5763 5764 dd4980 34 API calls 5763->5764 5765 dd42ff 5764->5765 5766 dd4980 34 API calls 5765->5766 5767 dd4315 5766->5767 5768 dd4980 34 API calls 5767->5768 5769 dd432b 5768->5769 5770 dd4980 34 API calls 5769->5770 5771 dd4341 5770->5771 5772 dd4980 34 API calls 5771->5772 5773 dd435a 5772->5773 5774 dd4980 34 API calls 5773->5774 5775 dd4370 5774->5775 5776 dd4980 34 API calls 5775->5776 5777 dd4386 5776->5777 5778 dd4980 34 API calls 5777->5778 5779 dd439c 5778->5779 5780 dd4980 34 API calls 5779->5780 5781 dd43b2 5780->5781 5782 dd4980 34 API calls 5781->5782 5783 dd43c8 5782->5783 5784 dd4980 34 API calls 5783->5784 5785 dd43e1 5784->5785 5786 dd4980 34 API calls 5785->5786 5787 dd43f7 5786->5787 5788 dd4980 34 API calls 5787->5788 5789 dd440d 5788->5789 5790 dd4980 34 API calls 5789->5790 5791 dd4423 5790->5791 5792 dd4980 34 API calls 5791->5792 5793 dd4439 5792->5793 5794 dd4980 34 API calls 5793->5794 5795 dd444f 5794->5795 5796 dd4980 34 API calls 5795->5796 5797 dd4468 5796->5797 5798 dd4980 34 API calls 5797->5798 5799 dd447e 5798->5799 5800 dd4980 34 API calls 5799->5800 5801 dd4494 5800->5801 5802 dd4980 34 API calls 5801->5802 5803 dd44aa 5802->5803 5804 dd4980 34 API calls 5803->5804 5805 dd44c0 5804->5805 5806 dd4980 34 API calls 5805->5806 5807 dd44d6 5806->5807 5808 dd4980 34 API calls 5807->5808 5809 dd44ef 5808->5809 5810 dd4980 34 API calls 5809->5810 5811 dd4505 5810->5811 5812 dd4980 34 API calls 5811->5812 5813 dd451b 5812->5813 5814 dd4980 34 API calls 5813->5814 5815 dd4531 5814->5815 5816 dd4980 34 API calls 5815->5816 5817 dd4547 5816->5817 5818 dd4980 34 API calls 5817->5818 5819 dd455d 5818->5819 5820 dd4980 34 API calls 5819->5820 5821 dd4576 5820->5821 5822 dd4980 34 API calls 5821->5822 5823 dd458c 5822->5823 5824 dd4980 34 API calls 5823->5824 5825 dd45a2 5824->5825 5826 dd4980 34 API calls 5825->5826 5827 dd45b8 5826->5827 5828 dd4980 34 API calls 5827->5828 5829 dd45ce 5828->5829 5830 dd4980 34 API calls 5829->5830 5831 dd45e4 5830->5831 5832 dd4980 34 API calls 5831->5832 5833 dd45fd 5832->5833 5834 dd4980 34 API calls 5833->5834 5835 dd4613 5834->5835 5836 dd4980 34 API calls 5835->5836 5837 dd4629 5836->5837 5838 dd4980 34 API calls 5837->5838 5839 dd463f 5838->5839 5840 dd4980 34 API calls 5839->5840 5841 dd4655 5840->5841 5842 dd4980 34 API calls 5841->5842 5843 dd466b 5842->5843 5844 dd4980 34 API calls 5843->5844 5845 dd4684 5844->5845 5846 dd4980 34 API calls 5845->5846 5847 dd469a 5846->5847 5848 dd4980 34 API calls 5847->5848 5849 dd46b0 5848->5849 5850 dd4980 34 API calls 5849->5850 5851 dd46c6 5850->5851 5852 dd4980 34 API calls 5851->5852 5853 dd46dc 5852->5853 5854 dd4980 34 API calls 5853->5854 5855 dd46f2 5854->5855 5856 dd4980 34 API calls 5855->5856 5857 dd470b 5856->5857 5858 dd4980 34 API calls 5857->5858 5859 dd4721 5858->5859 5860 dd4980 34 API calls 5859->5860 5861 dd4737 5860->5861 5862 dd4980 34 API calls 5861->5862 5863 dd474d 5862->5863 5864 dd4980 34 API calls 5863->5864 5865 dd4763 5864->5865 5866 dd4980 34 API calls 5865->5866 5867 dd4779 5866->5867 5868 dd4980 34 API calls 5867->5868 5869 dd4792 5868->5869 5870 dd4980 34 API calls 5869->5870 5871 dd47a8 5870->5871 5872 dd4980 34 API calls 5871->5872 5873 dd47be 5872->5873 5874 dd4980 34 API calls 5873->5874 5875 dd47d4 5874->5875 5876 dd4980 34 API calls 5875->5876 5877 dd47ea 5876->5877 5878 dd4980 34 API calls 5877->5878 5879 dd4800 5878->5879 5880 dd4980 34 API calls 5879->5880 5881 dd4819 5880->5881 5882 dd4980 34 API calls 5881->5882 5883 dd482f 5882->5883 5884 dd4980 34 API calls 5883->5884 5885 dd4845 5884->5885 5886 dd4980 34 API calls 5885->5886 5887 dd485b 5886->5887 5888 dd4980 34 API calls 5887->5888 5889 dd4871 5888->5889 5890 dd4980 34 API calls 5889->5890 5891 dd4887 5890->5891 5892 dd4980 34 API calls 5891->5892 5893 dd48a0 5892->5893 5894 dd4980 34 API calls 5893->5894 5895 dd48b6 5894->5895 5896 dd4980 34 API calls 5895->5896 5897 dd48cc 5896->5897 5898 dd4980 34 API calls 5897->5898 5899 dd48e2 5898->5899 5900 dd4980 34 API calls 5899->5900 5901 dd48f8 5900->5901 5902 dd4980 34 API calls 5901->5902 5903 dd490e 5902->5903 5904 dd4980 34 API calls 5903->5904 5905 dd4927 5904->5905 5906 dd4980 34 API calls 5905->5906 5907 dd493d 5906->5907 5908 dd4980 34 API calls 5907->5908 5909 dd4953 5908->5909 5910 dd4980 34 API calls 5909->5910 5911 dd4969 5910->5911 5913 dd4a1e 5912->5913 5914 dd4a9a 6 API calls 5912->5914 5915 dd4a26 11 API calls 5913->5915 5914->5281 5915->5914 5915->5915 6360 df1bd0 6385 dd29a0 6360->6385 6364 df1be3 6365 df1c15 GetUserDefaultLangID 6364->6365 6366 df1c3e 6365->6366 6486 df2a70 GetProcessHeap HeapAlloc GetComputerNameA 6366->6486 6368 df1c43 6369 df1c6d lstrlenA 6368->6369 6370 df1c85 6369->6370 6371 df1ca9 lstrlenA 6370->6371 6372 df1cbf 6371->6372 6373 df2a70 3 API calls 6372->6373 6374 df1ce5 lstrlenA 6373->6374 6375 df1cfa 6374->6375 6376 df1d20 lstrlenA 6375->6376 6377 df1d36 6376->6377 6488 df29e0 GetProcessHeap HeapAlloc GetUserNameA 6377->6488 6379 df1d59 lstrlenA 6380 df1d6d 6379->6380 6381 df1ddc OpenEventA 6380->6381 6382 df1e14 CreateEventA 6381->6382 6489 df1b00 GetSystemTime 6382->6489 6384 df1e28 6386 dd4980 34 API calls 6385->6386 6387 dd29b1 6386->6387 6388 dd4980 34 API calls 6387->6388 6389 dd29c7 6388->6389 6390 dd4980 34 API calls 6389->6390 6391 dd29dd 6390->6391 6392 dd4980 34 API calls 6391->6392 6393 dd29f3 6392->6393 6394 dd4980 34 API calls 6393->6394 6395 dd2a09 6394->6395 6396 dd4980 34 API calls 6395->6396 6397 dd2a1f 6396->6397 6398 dd4980 34 API calls 6397->6398 6399 dd2a38 6398->6399 6400 dd4980 34 API calls 6399->6400 6401 dd2a4e 6400->6401 6402 dd4980 34 API calls 6401->6402 6403 dd2a64 6402->6403 6404 dd4980 34 API calls 6403->6404 6405 dd2a7a 6404->6405 6406 dd4980 34 API calls 6405->6406 6407 dd2a90 6406->6407 6408 dd4980 34 API calls 6407->6408 6409 dd2aa6 6408->6409 6410 dd4980 34 API calls 6409->6410 6411 dd2abf 6410->6411 6412 dd4980 34 API calls 6411->6412 6413 dd2ad5 6412->6413 6414 dd4980 34 API calls 6413->6414 6415 dd2aeb 6414->6415 6416 dd4980 34 API calls 6415->6416 6417 dd2b01 6416->6417 6418 dd4980 34 API calls 6417->6418 6419 dd2b17 6418->6419 6420 dd4980 34 API calls 6419->6420 6421 dd2b2d 6420->6421 6422 dd4980 34 API calls 6421->6422 6423 dd2b46 6422->6423 6424 dd4980 34 API calls 6423->6424 6425 dd2b5c 6424->6425 6426 dd4980 34 API calls 6425->6426 6427 dd2b72 6426->6427 6428 dd4980 34 API calls 6427->6428 6429 dd2b88 6428->6429 6430 dd4980 34 API calls 6429->6430 6431 dd2b9e 6430->6431 6432 dd4980 34 API calls 6431->6432 6433 dd2bb4 6432->6433 6434 dd4980 34 API calls 6433->6434 6435 dd2bcd 6434->6435 6436 dd4980 34 API calls 6435->6436 6437 dd2be3 6436->6437 6438 dd4980 34 API calls 6437->6438 6439 dd2bf9 6438->6439 6440 dd4980 34 API calls 6439->6440 6441 dd2c0f 6440->6441 6442 dd4980 34 API calls 6441->6442 6443 dd2c25 6442->6443 6444 dd4980 34 API calls 6443->6444 6445 dd2c3b 6444->6445 6446 dd4980 34 API calls 6445->6446 6447 dd2c54 6446->6447 6448 dd4980 34 API calls 6447->6448 6449 dd2c6a 6448->6449 6450 dd4980 34 API calls 6449->6450 6451 dd2c80 6450->6451 6452 dd4980 34 API calls 6451->6452 6453 dd2c96 6452->6453 6454 dd4980 34 API calls 6453->6454 6455 dd2cac 6454->6455 6456 dd4980 34 API calls 6455->6456 6457 dd2cc2 6456->6457 6458 dd4980 34 API calls 6457->6458 6459 dd2cdb 6458->6459 6460 dd4980 34 API calls 6459->6460 6461 dd2cf1 6460->6461 6462 dd4980 34 API calls 6461->6462 6463 dd2d07 6462->6463 6464 dd4980 34 API calls 6463->6464 6465 dd2d1d 6464->6465 6466 dd4980 34 API calls 6465->6466 6467 dd2d33 6466->6467 6468 dd4980 34 API calls 6467->6468 6469 dd2d49 6468->6469 6470 dd4980 34 API calls 6469->6470 6471 dd2d62 6470->6471 6472 df63c0 GetPEB 6471->6472 6473 df65f3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 6472->6473 6476 df63f3 6472->6476 6474 df6668 6473->6474 6475 df6655 GetProcAddress 6473->6475 6477 df669c 6474->6477 6478 df6671 GetProcAddress GetProcAddress 6474->6478 6475->6474 6481 df6407 20 API calls 6476->6481 6479 df66b8 6477->6479 6480 df66a5 GetProcAddress 6477->6480 6478->6477 6482 df66d4 6479->6482 6483 df66c1 GetProcAddress 6479->6483 6480->6479 6481->6473 6484 df66dd GetProcAddress GetProcAddress 6482->6484 6485 df6707 6482->6485 6483->6482 6484->6485 6485->6364 6487 df2ac4 6486->6487 6487->6368 6488->6379 6497 df1800 6489->6497 6491 df1b61 sscanf 6536 dd2930 6491->6536 6494 df1bc9 6494->6384 6495 df1bb6 6495->6494 6496 df1bc2 ExitProcess 6495->6496 6498 df180e 6497->6498 6499 df1829 lstrcpy 6498->6499 6500 df1835 lstrlenA 6498->6500 6499->6500 6501 df1853 6500->6501 6502 df1865 lstrcpy lstrcatA 6501->6502 6503 df1878 6501->6503 6502->6503 6504 df18a7 6503->6504 6505 df189f lstrcpy 6503->6505 6506 df18ae lstrlenA 6504->6506 6505->6504 6507 df18c6 6506->6507 6508 df18d2 lstrcpy lstrcatA 6507->6508 6509 df18e6 6507->6509 6508->6509 6510 df1915 6509->6510 6511 df190d lstrcpy 6509->6511 6512 df191c lstrlenA 6510->6512 6511->6510 6513 df1938 6512->6513 6514 df194a lstrcpy lstrcatA 6513->6514 6515 df195d 6513->6515 6514->6515 6516 df198c 6515->6516 6517 df1984 lstrcpy 6515->6517 6518 df1993 lstrlenA 6516->6518 6517->6516 6519 df19ab 6518->6519 6520 df19b7 lstrcpy lstrcatA 6519->6520 6521 df19cb 6519->6521 6520->6521 6522 df19fa 6521->6522 6523 df19f2 lstrcpy 6521->6523 6524 df1a01 lstrlenA 6522->6524 6523->6522 6525 df1a1d 6524->6525 6526 df1a2f lstrcpy lstrcatA 6525->6526 6527 df1a42 6525->6527 6526->6527 6528 df1a71 6527->6528 6529 df1a69 lstrcpy 6527->6529 6530 df1a78 lstrlenA 6528->6530 6529->6528 6531 df1a94 6530->6531 6532 df1aa6 lstrcpy lstrcatA 6531->6532 6533 df1ab9 6531->6533 6532->6533 6534 df1ae8 6533->6534 6535 df1ae0 lstrcpy 6533->6535 6534->6491 6535->6534 6537 dd2934 SystemTimeToFileTime SystemTimeToFileTime 6536->6537 6537->6494 6537->6495 6551 df6710 6552 df6b2e 8 API calls 6551->6552 6553 df671d 43 API calls 6551->6553 6554 df6c38 6552->6554 6555 df6bc4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 6552->6555 6553->6552 6556 df6c45 8 API calls 6554->6556 6557 df6d02 6554->6557 6555->6554 6556->6557 6558 df6d7f 6557->6558 6559 df6d0b GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 6557->6559 6560 df6d8c 6 API calls 6558->6560 6561 df6e19 6558->6561 6559->6558 6560->6561 6562 df6e26 12 API calls 6561->6562 6563 df6f40 6561->6563 6562->6563 6564 df6fbd 6563->6564 6565 df6f49 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 6563->6565 6566 df6fc6 GetProcAddress GetProcAddress 6564->6566 6567 df6ff1 6564->6567 6565->6564 6566->6567 6568 df6ffa GetProcAddress GetProcAddress 6567->6568 6569 df7025 6567->6569 6568->6569 6570 df711d 6569->6570 6571 df7032 10 API calls 6569->6571 6572 df7126 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 6570->6572 6573 df7182 6570->6573 6571->6570 6572->6573 6574 df719e 6573->6574 6575 df718b GetProcAddress 6573->6575 6576 df71a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 6574->6576 6577 df7203 6574->6577 6575->6574 6576->6577 5916 dd4b80 5917 dd4ba0 5916->5917 5918 dd4bb5 5917->5918 5919 dd4bad lstrcpy 5917->5919 6070 dd4ae0 5918->6070 5919->5918 5921 dd4bc0 5922 dd4bfc lstrcpy 5921->5922 5923 dd4c08 5921->5923 5922->5923 5924 dd4c2f lstrcpy 5923->5924 5925 dd4c3b 5923->5925 5924->5925 5926 dd4c5f lstrcpy 5925->5926 5927 dd4c6b 5925->5927 5926->5927 5928 dd4c9d lstrcpy 5927->5928 5929 dd4ca9 5927->5929 5928->5929 5930 dd4cdc InternetOpenA StrCmpCA 5929->5930 5931 dd4cd0 lstrcpy 5929->5931 5932 dd4d10 5930->5932 5931->5930 5933 dd4d1f 5932->5933 5934 dd53e8 InternetCloseHandle CryptStringToBinaryA 5932->5934 6074 df3e10 5933->6074 5935 dd5418 LocalAlloc 5934->5935 5952 dd5508 5934->5952 5937 dd542f CryptStringToBinaryA 5935->5937 5935->5952 5938 dd5459 lstrlenA 5937->5938 5939 dd5447 LocalFree 5937->5939 5940 dd546d 5938->5940 5939->5952 5942 dd5487 lstrcpy 5940->5942 5943 dd5493 lstrlenA 5940->5943 5941 dd4d2a 5944 dd4d53 lstrcpy lstrcatA 5941->5944 5945 dd4d68 5941->5945 5942->5943 5947 dd54ad 5943->5947 5944->5945 5946 dd4d8a lstrcpy 5945->5946 5949 dd4d92 5945->5949 5946->5949 5948 dd54bf lstrcpy lstrcatA 5947->5948 5950 dd54d2 5947->5950 5948->5950 5951 dd4da1 lstrlenA 5949->5951 5953 dd5501 5950->5953 5955 dd54f9 lstrcpy 5950->5955 5954 dd4db9 5951->5954 5953->5952 5956 dd4dc5 lstrcpy lstrcatA 5954->5956 5957 dd4ddc 5954->5957 5955->5953 5956->5957 5958 dd4e05 5957->5958 5959 dd4dfd lstrcpy 5957->5959 5960 dd4e0c lstrlenA 5958->5960 5959->5958 5961 dd4e22 5960->5961 5962 dd4e2e lstrcpy lstrcatA 5961->5962 5963 dd4e45 5961->5963 5962->5963 5964 dd4e66 lstrcpy 5963->5964 5965 dd4e6e 5963->5965 5964->5965 5966 dd4e95 lstrcpy lstrcatA 5965->5966 5967 dd4eab 5965->5967 5966->5967 5968 dd4ed4 5967->5968 5969 dd4ecc lstrcpy 5967->5969 5970 dd4edb lstrlenA 5968->5970 5969->5968 5971 dd4ef1 5970->5971 5972 dd4efd lstrcpy lstrcatA 5971->5972 5973 dd4f14 5971->5973 5972->5973 5974 dd4f3d 5973->5974 5975 dd4f35 lstrcpy 5973->5975 5976 dd4f44 lstrlenA 5974->5976 5975->5974 5977 dd4f5a 5976->5977 5978 dd4f66 lstrcpy lstrcatA 5977->5978 5979 dd4f7d 5977->5979 5978->5979 5980 dd4fa9 5979->5980 5981 dd4fa1 lstrcpy 5979->5981 5982 dd4fb0 lstrlenA 5980->5982 5981->5980 5983 dd4fcb 5982->5983 5984 dd4fdc lstrcpy lstrcatA 5983->5984 5985 dd4fec 5983->5985 5984->5985 5986 dd500a lstrcpy lstrcatA 5985->5986 5987 dd501d 5985->5987 5986->5987 5988 dd503b lstrcpy 5987->5988 5989 dd5043 5987->5989 5988->5989 5990 dd5051 InternetConnectA 5989->5990 5990->5934 5991 dd5080 HttpOpenRequestA 5990->5991 5992 dd50bb 5991->5992 5993 dd53e1 InternetCloseHandle 5991->5993 6081 df7340 lstrlenA 5992->6081 5993->5934 5997 dd50d4 6089 df72f0 5997->6089 6000 df72b0 lstrcpy 6001 dd50f0 6000->6001 6002 df7340 3 API calls 6001->6002 6003 dd5105 6002->6003 6004 df72b0 lstrcpy 6003->6004 6005 dd510e 6004->6005 6006 df7340 3 API calls 6005->6006 6007 dd5124 6006->6007 6008 df72b0 lstrcpy 6007->6008 6009 dd512d 6008->6009 6010 df7340 3 API calls 6009->6010 6011 dd5143 6010->6011 6012 df72b0 lstrcpy 6011->6012 6013 dd514c 6012->6013 6014 df7340 3 API calls 6013->6014 6015 dd5161 6014->6015 6016 df72b0 lstrcpy 6015->6016 6017 dd516a 6016->6017 6018 df72f0 2 API calls 6017->6018 6019 dd517d 6018->6019 6020 df72b0 lstrcpy 6019->6020 6021 dd5186 6020->6021 6022 df7340 3 API calls 6021->6022 6023 dd519b 6022->6023 6024 df72b0 lstrcpy 6023->6024 6025 dd51a4 6024->6025 6026 df7340 3 API calls 6025->6026 6027 dd51b9 6026->6027 6028 df72b0 lstrcpy 6027->6028 6029 dd51c2 6028->6029 6030 df72f0 2 API calls 6029->6030 6031 dd51d5 6030->6031 6032 df72b0 lstrcpy 6031->6032 6033 dd51de 6032->6033 6034 df7340 3 API calls 6033->6034 6035 dd51f3 6034->6035 6036 df72b0 lstrcpy 6035->6036 6037 dd51fc 6036->6037 6038 df7340 3 API calls 6037->6038 6039 dd5212 6038->6039 6040 df72b0 lstrcpy 6039->6040 6041 dd521b 6040->6041 6042 df7340 3 API calls 6041->6042 6043 dd5231 6042->6043 6044 df72b0 lstrcpy 6043->6044 6045 dd523a 6044->6045 6046 df7340 3 API calls 6045->6046 6047 dd524f 6046->6047 6048 df72b0 lstrcpy 6047->6048 6049 dd5258 6048->6049 6050 df72f0 2 API calls 6049->6050 6051 dd526b 6050->6051 6052 df72b0 lstrcpy 6051->6052 6053 dd5274 6052->6053 6054 dd52ac 6053->6054 6055 dd52a0 lstrcpy 6053->6055 6056 df72f0 2 API calls 6054->6056 6055->6054 6057 dd52ba 6056->6057 6058 df72f0 2 API calls 6057->6058 6059 dd52c7 6058->6059 6060 df72b0 lstrcpy 6059->6060 6061 dd52d1 6060->6061 6062 dd52e1 lstrlenA lstrlenA HttpSendRequestA InternetReadFile 6061->6062 6063 dd53cc InternetCloseHandle 6062->6063 6067 dd5322 6062->6067 6064 dd53de 6063->6064 6064->5993 6065 dd532d lstrlenA 6065->6067 6066 dd535e lstrcpy lstrcatA 6066->6067 6067->6063 6067->6065 6067->6066 6068 dd539b lstrcpy 6067->6068 6069 dd53aa InternetReadFile 6067->6069 6068->6067 6069->6063 6069->6067 6071 dd4af0 6070->6071 6071->6071 6072 dd4af7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlenA InternetCrackUrlA 6071->6072 6073 dd4b61 6072->6073 6073->5921 6075 df3e23 6074->6075 6076 df3e3f lstrcpy 6075->6076 6077 df3e4b 6075->6077 6076->6077 6078 df3e6d lstrcpy 6077->6078 6079 df3e75 GetSystemTime 6077->6079 6078->6079 6080 df3e93 6079->6080 6080->5941 6083 df735d 6081->6083 6082 dd50cb 6085 df72b0 6082->6085 6083->6082 6084 df736d lstrcpy lstrcatA 6083->6084 6084->6082 6086 df72bc 6085->6086 6087 df72e4 6086->6087 6088 df72dc lstrcpy 6086->6088 6087->5997 6088->6087 6091 df730c 6089->6091 6090 dd50e7 6090->6000 6091->6090 6092 df731d lstrcpy lstrcatA 6091->6092 6092->6090 6093 def300 lstrlenA 6094 def33e 6093->6094 6095 def346 lstrcpy 6094->6095 6096 def352 lstrlenA 6094->6096 6095->6096 6097 def363 6096->6097 6098 def36b lstrcpy 6097->6098 6099 def377 lstrlenA 6097->6099 6098->6099 6100 def388 6099->6100 6101 def390 lstrcpy 6100->6101 6102 def39c 6100->6102 6101->6102 6103 def3b8 lstrcpy 6102->6103 6104 def3c4 6102->6104 6103->6104 6105 def3e6 lstrcpy 6104->6105 6106 def3f2 6104->6106 6105->6106 6107 def41c lstrcpy 6106->6107 6108 def428 6106->6108 6107->6108 6109 def44e lstrcpy 6108->6109 6160 def460 6108->6160 6109->6160 6110 def46c lstrlenA 6110->6160 6111 def626 lstrcpy 6111->6160 6112 def504 lstrcpy 6112->6160 6113 def529 lstrcpy 6113->6160 6114 dd1410 8 API calls 6114->6160 6115 def656 lstrcpy 6175 def65e 6115->6175 6116 dd1410 8 API calls 6116->6175 6117 def100 36 API calls 6117->6175 6118 def5e0 lstrcpy 6118->6160 6119 def70d lstrcpy 6119->6175 6120 def788 StrCmpCA 6121 def88a StrCmpCA 6120->6121 6120->6175 6125 df0061 6121->6125 6121->6160 6122 defbcb StrCmpCA 6132 defff8 6122->6132 6122->6160 6123 def8ba lstrlenA 6123->6160 6124 deff0b StrCmpCA 6130 deff1f Sleep 6124->6130 6138 deff35 6124->6138 6126 df0083 lstrlenA 6125->6126 6127 df007b lstrcpy 6125->6127 6131 df009f 6126->6131 6127->6126 6128 def7be lstrcpy 6128->6175 6129 defbfb lstrlenA 6129->6160 6130->6160 6136 df00c0 lstrlenA 6131->6136 6141 df00b8 lstrcpy 6131->6141 6133 df001a lstrlenA 6132->6133 6134 df0012 lstrcpy 6132->6134 6143 df0036 6133->6143 6134->6133 6135 defa26 lstrcpy 6135->6160 6145 df00dc 6136->6145 6137 def8ed lstrcpy 6137->6160 6139 deff57 lstrlenA 6138->6139 6142 deff4f lstrcpy 6138->6142 6151 deff73 6139->6151 6140 defd66 lstrcpy 6140->6160 6141->6136 6142->6139 6144 deff94 lstrlenA 6143->6144 6147 df004f lstrcpy 6143->6147 6161 deffb0 6144->6161 6152 df00fd 6145->6152 6158 df00f5 lstrcpy 6145->6158 6146 defc2e lstrcpy 6146->6160 6147->6144 6149 defa56 lstrcpy 6149->6175 6150 def910 lstrcpy 6150->6160 6151->6144 6156 deff8c lstrcpy 6151->6156 6159 dd1510 4 API calls 6152->6159 6153 def812 lstrcpy 6153->6175 6154 defc51 lstrcpy 6154->6160 6155 deefe0 28 API calls 6155->6160 6156->6144 6157 defd96 lstrcpy 6157->6175 6158->6152 6177 deffdd 6159->6177 6160->6110 6160->6111 6160->6112 6160->6113 6160->6114 6160->6115 6160->6118 6160->6121 6160->6122 6160->6123 6160->6124 6160->6129 6160->6135 6160->6137 6160->6140 6160->6146 6160->6149 6160->6150 6160->6154 6160->6155 6160->6157 6165 def964 lstrcpy 6160->6165 6168 defca5 lstrcpy 6160->6168 6160->6175 6162 deffd1 6161->6162 6163 deffc9 lstrcpy 6161->6163 6178 dd1510 6162->6178 6163->6162 6165->6160 6166 defab5 lstrcpy 6166->6175 6167 defb30 StrCmpCA 6167->6122 6167->6175 6168->6160 6169 defdf5 lstrcpy 6169->6175 6170 defe70 StrCmpCA 6170->6124 6170->6175 6171 defb63 lstrcpy 6171->6175 6172 defea3 lstrcpy 6172->6175 6173 deefe0 28 API calls 6173->6175 6174 defbb7 lstrcpy 6174->6175 6175->6116 6175->6117 6175->6119 6175->6120 6175->6122 6175->6124 6175->6128 6175->6153 6175->6160 6175->6166 6175->6167 6175->6169 6175->6170 6175->6171 6175->6172 6175->6173 6175->6174 6176 defef7 lstrcpy 6175->6176 6176->6175 6179 dd151f 6178->6179 6180 dd152b lstrcpy 6179->6180 6181 dd1533 6179->6181 6180->6181 6182 dd154d lstrcpy 6181->6182 6183 dd1555 6181->6183 6182->6183 6184 dd156f lstrcpy 6183->6184 6186 dd1577 6183->6186 6184->6186 6185 dd1599 6185->6177 6186->6185 6187 dd1591 lstrcpy 6186->6187 6187->6185 5272 dd5570 GetProcessHeap RtlAllocateHeap InternetOpenA InternetOpenUrlA 5273 dd5627 InternetCloseHandle InternetCloseHandle 5272->5273 5274 dd55d1 5272->5274 5278 dd563f 5273->5278 5275 dd55d8 InternetReadFile 5274->5275 5276 dd5623 5274->5276 5277 dd5600 KiUserExceptionDispatcher 5274->5277 5275->5274 5275->5276 5276->5273 5277->5274 5277->5277 6188 deef30 6189 deef50 6188->6189 6190 deef68 6189->6190 6191 deef60 lstrcpy 6189->6191 6196 dd1410 6190->6196 6191->6190 6195 deef7e 6197 dd1510 4 API calls 6196->6197 6198 dd141b 6197->6198 6199 dd1435 lstrcpy 6198->6199 6200 dd143d 6198->6200 6199->6200 6201 dd1457 lstrcpy 6200->6201 6202 dd145f 6200->6202 6201->6202 6203 dd1479 lstrcpy 6202->6203 6205 dd1481 6202->6205 6203->6205 6204 dd14e5 6207 dd56c0 6204->6207 6205->6204 6206 dd14dd lstrcpy 6205->6206 6206->6204 6208 dd56e0 6207->6208 6209 dd56f5 6208->6209 6210 dd56ed lstrcpy 6208->6210 6211 dd4ae0 5 API calls 6209->6211 6210->6209 6212 dd5700 6211->6212 6355 df4090 6212->6355 6214 dd5736 lstrlenA 6215 df4090 4 API calls 6214->6215 6216 dd5755 6215->6216 6217 dd577e lstrcpy 6216->6217 6218 dd578a 6216->6218 6217->6218 6219 dd57bd lstrcpy 6218->6219 6220 dd57c9 6218->6220 6219->6220 6221 dd57ed lstrcpy 6220->6221 6222 dd57f9 6220->6222 6221->6222 6223 dd5822 lstrcpy 6222->6223 6224 dd582e 6222->6224 6223->6224 6225 dd585c lstrcpy 6224->6225 6226 dd5868 InternetOpenA StrCmpCA 6224->6226 6225->6226 6227 dd589c 6226->6227 6228 dd5f34 InternetCloseHandle 6227->6228 6229 df3e10 3 API calls 6227->6229 6247 dd5f6a 6228->6247 6230 dd58b6 6229->6230 6231 dd58de lstrcpy lstrcatA 6230->6231 6232 dd58f3 6230->6232 6231->6232 6233 dd5912 lstrcpy 6232->6233 6234 dd591a 6232->6234 6233->6234 6235 dd5929 lstrlenA 6234->6235 6236 dd5941 6235->6236 6237 dd594e lstrcpy lstrcatA 6236->6237 6239 dd5962 6236->6239 6237->6239 6238 dd598f lstrlenA 6240 dd59a5 6238->6240 6239->6238 6241 dd597c lstrcpy lstrcatA 6239->6241 6242 dd59af lstrcpy lstrcatA 6240->6242 6243 dd59c3 6240->6243 6241->6238 6242->6243 6244 dd59e2 lstrcpy 6243->6244 6245 dd59ea 6243->6245 6244->6245 6246 dd59ff lstrlenA 6245->6246 6248 dd5a1a 6246->6248 6247->6195 6249 dd5a2b lstrcpy lstrcatA 6248->6249 6250 dd5a3b 6248->6250 6249->6250 6251 dd5a59 lstrcpy lstrcatA 6250->6251 6252 dd5a6c 6250->6252 6251->6252 6253 dd5a8a lstrcpy 6252->6253 6254 dd5a92 6252->6254 6253->6254 6255 dd5aa0 InternetConnectA 6254->6255 6256 dd5acf HttpOpenRequestA 6255->6256 6257 dd5f2e 6255->6257 6258 dd5b0b 6256->6258 6259 dd5f27 InternetCloseHandle 6256->6259 6257->6228 6260 df7340 3 API calls 6258->6260 6259->6257 6261 dd5b1b 6260->6261 6262 df72b0 lstrcpy 6261->6262 6263 dd5b24 6262->6263 6264 df72f0 2 API calls 6263->6264 6265 dd5b37 6264->6265 6266 df72b0 lstrcpy 6265->6266 6267 dd5b40 6266->6267 6268 df7340 3 API calls 6267->6268 6269 dd5b55 6268->6269 6270 df72b0 lstrcpy 6269->6270 6271 dd5b5e 6270->6271 6272 df7340 3 API calls 6271->6272 6273 dd5b74 6272->6273 6274 df72b0 lstrcpy 6273->6274 6275 dd5b7d 6274->6275 6276 df7340 3 API calls 6275->6276 6277 dd5b93 6276->6277 6278 df72b0 lstrcpy 6277->6278 6279 dd5b9c 6278->6279 6280 df7340 3 API calls 6279->6280 6281 dd5bb1 6280->6281 6282 df72b0 lstrcpy 6281->6282 6283 dd5bba 6282->6283 6284 df72f0 2 API calls 6283->6284 6285 dd5bcd 6284->6285 6286 df72b0 lstrcpy 6285->6286 6287 dd5bd6 6286->6287 6288 df7340 3 API calls 6287->6288 6289 dd5beb 6288->6289 6290 df72b0 lstrcpy 6289->6290 6291 dd5bf4 6290->6291 6292 df7340 3 API calls 6291->6292 6293 dd5c09 6292->6293 6294 df72b0 lstrcpy 6293->6294 6295 dd5c12 6294->6295 6296 df72f0 2 API calls 6295->6296 6297 dd5c25 6296->6297 6298 df72b0 lstrcpy 6297->6298 6299 dd5c2e 6298->6299 6300 df7340 3 API calls 6299->6300 6301 dd5c43 6300->6301 6302 df72b0 lstrcpy 6301->6302 6303 dd5c4c 6302->6303 6304 df7340 3 API calls 6303->6304 6305 dd5c62 6304->6305 6306 df72b0 lstrcpy 6305->6306 6307 dd5c6b 6306->6307 6308 df7340 3 API calls 6307->6308 6309 dd5c81 6308->6309 6310 df72b0 lstrcpy 6309->6310 6311 dd5c8a 6310->6311 6312 df7340 3 API calls 6311->6312 6313 dd5c9f 6312->6313 6314 df72b0 lstrcpy 6313->6314 6315 dd5ca8 6314->6315 6316 df7340 3 API calls 6315->6316 6317 dd5cbb 6316->6317 6318 df72b0 lstrcpy 6317->6318 6319 dd5cc4 6318->6319 6320 df7340 3 API calls 6319->6320 6321 dd5cd9 6320->6321 6322 df72b0 lstrcpy 6321->6322 6323 dd5ce2 6322->6323 6324 df7340 3 API calls 6323->6324 6325 dd5cf7 6324->6325 6326 df72b0 lstrcpy 6325->6326 6327 dd5d00 6326->6327 6328 df72f0 2 API calls 6327->6328 6329 dd5d13 6328->6329 6330 df72b0 lstrcpy 6329->6330 6331 dd5d1c 6330->6331 6332 df7340 3 API calls 6331->6332 6333 dd5d31 6332->6333 6334 df72b0 lstrcpy 6333->6334 6335 dd5d3a 6334->6335 6336 df7340 3 API calls 6335->6336 6337 dd5d50 6336->6337 6338 df72b0 lstrcpy 6337->6338 6339 dd5d59 6338->6339 6340 df7340 3 API calls 6339->6340 6341 dd5d6f 6340->6341 6342 df72b0 lstrcpy 6341->6342 6343 dd5d78 6342->6343 6344 df7340 3 API calls 6343->6344 6345 dd5d8d 6344->6345 6346 df72b0 lstrcpy 6345->6346 6347 dd5d96 6346->6347 6348 dd5d9e 14 API calls 6347->6348 6349 dd5f1a InternetCloseHandle 6348->6349 6353 dd5e6a 6348->6353 6349->6259 6350 dd5e7b lstrlenA 6350->6353 6351 dd5eac lstrcpy lstrcatA 6351->6353 6352 dd5ee9 lstrcpy 6352->6353 6353->6349 6353->6350 6353->6351 6353->6352 6354 dd5ef8 InternetReadFile 6353->6354 6354->6349 6354->6353 6356 df409a 6355->6356 6357 df40a0 CryptBinaryToStringA 6355->6357 6356->6214 6357->6356 6358 df40b7 GetProcessHeap HeapAlloc 6357->6358 6358->6356 6359 df40d2 CryptBinaryToStringA 6358->6359 6359->6214 6909 ddbce9 6910 ddbcf0 6909->6910 6911 ddbd09 lstrcpy 6910->6911 6925 ddbd15 6910->6925 6911->6925 6912 ddbef4 lstrlenA 6913 ddbf03 lstrlenA 6912->6913 6927 ddbf4e 6912->6927 6914 ddbf1d 6913->6914 6916 ddbf32 6914->6916 6917 ddbf2a lstrcpy 6914->6917 6915 ddbd3c lstrlenA 6915->6925 6918 dd1410 8 API calls 6916->6918 6917->6916 6919 ddbf42 6918->6919 6928 deef30 6919->6928 6921 ddbd67 lstrcpy lstrcatA 6921->6925 6922 ddbe0e lstrlenA 6922->6925 6923 ddbd9a lstrcpy 6923->6925 6924 ddbe32 lstrcpy lstrcatA 6924->6925 6925->6912 6925->6915 6925->6921 6925->6922 6925->6923 6925->6924 6926 ddbe6a lstrcpy 6925->6926 6926->6925 6929 deef50 6928->6929 6930 deef68 6929->6930 6931 deef60 lstrcpy 6929->6931 6932 dd1410 8 API calls 6930->6932 6931->6930 6933 deef78 6932->6933 6934 dd56c0 69 API calls 6933->6934 6935 deef7e 6934->6935 6935->6927 6538 df26e0 GetWindowsDirectoryA 6539 df272c GetVolumeInformationA 6538->6539 6540 df2725 6538->6540 6541 df278c GetProcessHeap HeapAlloc 6539->6541 6540->6539 6543 df27c6 wsprintfA 6541->6543 6544 df27c2 6541->6544 6543->6544 6547 df7210 6544->6547 6548 df7216 6547->6548 6549 df722c lstrcpy 6548->6549 6550 df2800 6548->6550 6549->6550 6578 df2820 GetProcessHeap HeapAlloc 6585 df28b0 GetProcessHeap HeapAlloc RegOpenKeyExA 6578->6585 6581 df285a RegOpenKeyExA 6583 df287b RegQueryValueExA 6581->6583 6584 df2892 RegCloseKey 6581->6584 6582 df2850 6583->6584 6586 df290b RegCloseKey 6585->6586 6587 df28f5 RegQueryValueExA 6585->6587 6588 df2849 6586->6588 6587->6586 6588->6581 6588->6582

                                  Executed Functions

                                  Function 00DD4B80 Relevance: 116.3, APIs: 61, Strings: 5, Instructions: 807stringnetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DD4BAF
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DD4C02
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DD4C35
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DD4C65
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DD4CA3
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DD4CD6
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00DD4CE6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$InternetOpen
                                  • String ID: "$------$LP$LP$LP
                                  • API String ID: 2041821634-2504685677
                                  • Opcode ID: 5b07d49727cebb4614462e235744c22d78d7503193e091a76591e65ed3bd5479
                                  • Instruction ID: 545ff9c4ec3136abe882359b61a4fb8193b9a8f6f92fbb92dd6f09221fc9a102
                                  • Opcode Fuzzy Hash: 5b07d49727cebb4614462e235744c22d78d7503193e091a76591e65ed3bd5479
                                  • Instruction Fuzzy Hash: C2526D31A016199FDB21EFB4D849AAE7BB9EF44300F198026F945A7355DB34ED42CBB0
                                  Function 00DD56C0 Relevance: 105.7, APIs: 51, Strings: 9, Instructions: 734stringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 999 dd56c0-dd56e4 call dd2840 1002 dd56f5-dd56fb call dd4ae0 999->1002 1003 dd56e6-dd56eb 999->1003 1006 dd5700-dd5760 call df4090 lstrlenA call df4090 1002->1006 1003->1002 1004 dd56ed-dd56ef lstrcpy 1003->1004 1004->1002 1011 dd576c-dd577c call dd2840 1006->1011 1012 dd5762-dd576a 1006->1012 1015 dd577e-dd5784 lstrcpy 1011->1015 1016 dd578a-dd5795 1011->1016 1012->1011 1012->1012 1015->1016 1017 dd57ad-dd57bb call dd2840 1016->1017 1018 dd5797 1016->1018 1023 dd57bd-dd57c3 lstrcpy 1017->1023 1024 dd57c9-dd57d1 1017->1024 1019 dd57a0-dd57a8 1018->1019 1019->1019 1021 dd57aa 1019->1021 1021->1017 1023->1024 1025 dd57dd-dd57eb call dd2840 1024->1025 1026 dd57d3-dd57db 1024->1026 1029 dd57ed-dd57f3 lstrcpy 1025->1029 1030 dd57f9-dd5804 1025->1030 1026->1025 1026->1026 1029->1030 1031 dd5806-dd580e 1030->1031 1032 dd5813-dd5820 call dd2840 1030->1032 1031->1031 1033 dd5810 1031->1033 1036 dd582e-dd5839 1032->1036 1037 dd5822-dd5828 lstrcpy 1032->1037 1033->1032 1038 dd584d-dd585a call dd2840 1036->1038 1039 dd583b 1036->1039 1037->1036 1044 dd585c-dd5862 lstrcpy 1038->1044 1045 dd5868-dd589a InternetOpenA StrCmpCA 1038->1045 1040 dd5840-dd5848 1039->1040 1040->1040 1043 dd584a 1040->1043 1043->1038 1044->1045 1046 dd589c 1045->1046 1047 dd58a3-dd58a5 1045->1047 1046->1047 1048 dd58ab-dd58d3 call df3e10 call dd2840 1047->1048 1049 dd5f34-dd5ff3 InternetCloseHandle call dd2930 * 17 1047->1049 1059 dd58d5-dd58d7 1048->1059 1060 dd58f3-dd58f8 1048->1060 1059->1060 1062 dd58d9-dd58dc 1059->1062 1063 dd58ff-dd590c call dd2840 1060->1063 1064 dd58fa call dd2930 1060->1064 1062->1060 1067 dd58de-dd58f0 lstrcpy lstrcatA 1062->1067 1071 dd590e-dd5910 1063->1071 1072 dd591a-dd5945 call dd2930 * 2 lstrlenA call dd2840 1063->1072 1064->1063 1067->1060 1071->1072 1074 dd5912-dd5914 lstrcpy 1071->1074 1087 dd5947-dd594c 1072->1087 1088 dd5962-dd5970 call dd2840 1072->1088 1074->1072 1087->1088 1090 dd594e-dd595c lstrcpy lstrcatA 1087->1090 1095 dd598f-dd59a9 lstrlenA call dd2840 1088->1095 1096 dd5972-dd5974 1088->1096 1090->1088 1105 dd59ab-dd59ad 1095->1105 1106 dd59c3-dd59c8 1095->1106 1096->1095 1099 dd5976-dd597a 1096->1099 1099->1095 1102 dd597c-dd5989 lstrcpy lstrcatA 1099->1102 1102->1095 1105->1106 1108 dd59af-dd59bd lstrcpy lstrcatA 1105->1108 1109 dd59cf-dd59dc call dd2840 1106->1109 1110 dd59ca call dd2930 1106->1110 1108->1106 1117 dd59de-dd59e0 1109->1117 1118 dd59ea-dd5a1e call dd2930 * 3 lstrlenA call dd2840 1109->1118 1110->1109 1117->1118 1119 dd59e2-dd59e4 lstrcpy 1117->1119 1136 dd5a3b-dd5a4d call dd2840 1118->1136 1137 dd5a20-dd5a25 1118->1137 1119->1118 1142 dd5a6c-dd5a71 1136->1142 1143 dd5a4f-dd5a51 1136->1143 1137->1136 1138 dd5a27-dd5a29 1137->1138 1138->1136 1140 dd5a2b-dd5a35 lstrcpy lstrcatA 1138->1140 1140->1136 1145 dd5a78-dd5a84 call dd2840 1142->1145 1146 dd5a73 call dd2930 1142->1146 1143->1142 1144 dd5a53-dd5a57 1143->1144 1144->1142 1147 dd5a59-dd5a66 lstrcpy lstrcatA 1144->1147 1151 dd5a86-dd5a88 1145->1151 1152 dd5a92-dd5ac9 call dd2930 * 2 InternetConnectA 1145->1152 1146->1145 1147->1142 1151->1152 1153 dd5a8a-dd5a8c lstrcpy 1151->1153 1158 dd5acf-dd5b05 HttpOpenRequestA 1152->1158 1159 dd5f2e-dd5f31 1152->1159 1153->1152 1160 dd5b0b-dd5e64 call df7340 call df72b0 call dd2930 call df72f0 call df72b0 call dd2930 call df7340 call df72b0 call dd2930 call df7340 call df72b0 call dd2930 call df7340 call df72b0 call dd2930 call df7340 call df72b0 call dd2930 call df72f0 call df72b0 call dd2930 call df7340 call df72b0 call dd2930 call df7340 call df72b0 call dd2930 call df72f0 call df72b0 call dd2930 call df7340 call df72b0 call dd2930 call df7340 call df72b0 call dd2930 call df7340 call df72b0 call dd2930 call df7340 call df72b0 call dd2930 call df7340 call df72b0 call dd2930 call df7340 call df72b0 call dd2930 call df7340 call df72b0 call dd2930 call df72f0 call df72b0 call dd2930 call df7340 call df72b0 call dd2930 call df7340 call df72b0 call dd2930 call df7340 call df72b0 call dd2930 call df7340 call df72b0 call dd2930 lstrlenA * 2 GetProcessHeap HeapAlloc lstrlenA memcpy lstrlenA memcpy lstrlenA * 2 memcpy lstrlenA HttpSendRequestA InternetReadFile 1158->1160 1161 dd5f27-dd5f28 InternetCloseHandle 1158->1161 1159->1049 1294 dd5f1a-dd5f24 InternetCloseHandle 1160->1294 1295 dd5e6a 1160->1295 1161->1159 1294->1161 1296 dd5e70-dd5e75 1295->1296 1296->1294 1297 dd5e7b-dd5ea4 lstrlenA call dd2840 1296->1297 1300 dd5ea6-dd5eaa 1297->1300 1301 dd5ec2-dd5ec9 1297->1301 1300->1301 1302 dd5eac-dd5ebc lstrcpy lstrcatA 1300->1302 1303 dd5ecb-dd5ed0 call dd2930 1301->1303 1304 dd5ed6-dd5ee3 call dd2840 1301->1304 1302->1301 1303->1304 1309 dd5ee5-dd5ee7 1304->1309 1310 dd5ef1-dd5f14 call dd2930 InternetReadFile 1304->1310 1309->1310 1311 dd5ee9-dd5eeb lstrcpy 1309->1311 1310->1294 1310->1296 1311->1310
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DD56EF
                                  • lstrlenA.KERNEL32(?), ref: 00DD5742
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DD5784
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DD57C3
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DD57F3
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DD5828
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID: ------$"$--$------$LP$LP$LP$LP$LP
                                  • API String ID: 367037083-905720104
                                  • Opcode ID: 871b0fb4908d0a8d4bf44bb26befd73086b7db17bf88e7dff4ab7345c5c65a36
                                  • Instruction ID: c661ee0942af813ace08a5e601c22a36ca4787554a7b047c37afd1e0cd3c8e51
                                  • Opcode Fuzzy Hash: 871b0fb4908d0a8d4bf44bb26befd73086b7db17bf88e7dff4ab7345c5c65a36
                                  • Instruction Fuzzy Hash: 85423E71E006199FCB21EBB4D845AAE77B5EF44310F198025FA49A7356DB34EE068BF0
                                  Function 00DD4980 Relevance: 61.4, APIs: 34, Strings: 1, Instructions: 115stringmemoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD4994
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD499B
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD49A2
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD49A9
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD49B0
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00DD49BB
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00DD49C2
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD49D2
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD49D9
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD49E0
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD49E7
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD49EE
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD49F9
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD4A00
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD4A07
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD4A0E
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD4A15
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD4A2B
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD4A32
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD4A39
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD4A40
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD4A47
                                  • strlen.MSVCRT ref: 00DD4A4F
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD4A73
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD4A7A
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD4A81
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD4A88
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD4A8F
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD4A9F
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD4AA6
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD4AAD
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD4AB4
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00DD4ABB
                                  • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00DD4AD0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
                                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                  • API String ID: 2127927946-3329630956
                                  • Opcode ID: 5a710236c893eea6757a01826fb93a62ee466b3de8b05347751ec0d0081699f3
                                  • Instruction ID: 3e340017adcbf9dc1817f7f78e97059144b3fbd4bd0a8829d098eb5c6e5ab4e6
                                  • Opcode Fuzzy Hash: 5a710236c893eea6757a01826fb93a62ee466b3de8b05347751ec0d0081699f3
                                  • Instruction Fuzzy Hash: E931F6E0F8032E76C6247BAE8D4AD5E7ED4DF857E0B297053B618661C0C9F054A5CEB2
                                  Function 00DF63C0 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1786 df63c0-df63ed GetPEB 1787 df65f3-df6653 LoadLibraryA * 5 1786->1787 1788 df63f3-df65ee call df6320 GetProcAddress * 20 1786->1788 1789 df6668-df666f 1787->1789 1790 df6655-df6663 GetProcAddress 1787->1790 1788->1787 1792 df669c-df66a3 1789->1792 1793 df6671-df6697 GetProcAddress * 2 1789->1793 1790->1789 1795 df66b8-df66bf 1792->1795 1796 df66a5-df66b3 GetProcAddress 1792->1796 1793->1792 1798 df66d4-df66db 1795->1798 1799 df66c1-df66cf GetProcAddress 1795->1799 1796->1795 1800 df66dd-df6702 GetProcAddress * 2 1798->1800 1801 df6707-df670a 1798->1801 1799->1798 1800->1801
                                  APIs
                                  • GetProcAddress.KERNEL32(75900000,00B316F8), ref: 00DF6419
                                  • GetProcAddress.KERNEL32(75900000,00B319B0), ref: 00DF6432
                                  • GetProcAddress.KERNEL32(75900000,00B318A8), ref: 00DF644A
                                  • GetProcAddress.KERNEL32(75900000,00B317A0), ref: 00DF6462
                                  • GetProcAddress.KERNEL32(75900000,00B31250), ref: 00DF647B
                                  • GetProcAddress.KERNEL32(75900000,00B2AC20), ref: 00DF6493
                                  • GetProcAddress.KERNEL32(75900000,00B2AD40), ref: 00DF64AB
                                  • GetProcAddress.KERNEL32(75900000,00B319C8), ref: 00DF64C4
                                  • GetProcAddress.KERNEL32(75900000,00B316E0), ref: 00DF64DC
                                  • GetProcAddress.KERNEL32(75900000,00B31710), ref: 00DF64F4
                                  • GetProcAddress.KERNEL32(75900000,00B31758), ref: 00DF650D
                                  • GetProcAddress.KERNEL32(75900000,00B2AC60), ref: 00DF6525
                                  • GetProcAddress.KERNEL32(75900000,00B31770), ref: 00DF653D
                                  • GetProcAddress.KERNEL32(75900000,00B317B8), ref: 00DF6556
                                  • GetProcAddress.KERNEL32(75900000,00B2ADA0), ref: 00DF656E
                                  • GetProcAddress.KERNEL32(75900000,00B317D0), ref: 00DF6586
                                  • GetProcAddress.KERNEL32(75900000,00B31800), ref: 00DF659F
                                  • GetProcAddress.KERNEL32(75900000,00B2ACC0), ref: 00DF65B7
                                  • GetProcAddress.KERNEL32(75900000,00B31A10), ref: 00DF65CF
                                  • GetProcAddress.KERNEL32(75900000,00B2AC80), ref: 00DF65E8
                                  • LoadLibraryA.KERNEL32(00B319E0,?,?,?,00DF1BE3), ref: 00DF65F9
                                  • LoadLibraryA.KERNEL32(00B31A40,?,?,?,00DF1BE3), ref: 00DF660B
                                  • LoadLibraryA.KERNEL32(00B31AA0,?,?,?,00DF1BE3), ref: 00DF661D
                                  • LoadLibraryA.KERNEL32(00B31A58,?,?,?,00DF1BE3), ref: 00DF662E
                                  • LoadLibraryA.KERNEL32(00B31A70,?,?,?,00DF1BE3), ref: 00DF6640
                                  • GetProcAddress.KERNEL32(75070000,00B319F8), ref: 00DF665D
                                  • GetProcAddress.KERNEL32(75FD0000,00B31A88), ref: 00DF6679
                                  • GetProcAddress.KERNEL32(75FD0000,00B31A28), ref: 00DF6691
                                  • GetProcAddress.KERNEL32(75A50000,00B31B78), ref: 00DF66AD
                                  • GetProcAddress.KERNEL32(74E50000,00B2ADC0), ref: 00DF66C9
                                  • GetProcAddress.KERNEL32(76E80000,00B31260), ref: 00DF66E5
                                  • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00DF66FC
                                  Strings
                                  • NtQueryInformationProcess, xrefs: 00DF66F1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: NtQueryInformationProcess
                                  • API String ID: 2238633743-2781105232
                                  • Opcode ID: 995d332382451e8a4549bb979bc8b029f4a50bf634f80e4650fa33e33146a833
                                  • Instruction ID: bfbb54cdece74990d494a373f13f712de5157cd69a8e2b019468445aa64b927e
                                  • Opcode Fuzzy Hash: 995d332382451e8a4549bb979bc8b029f4a50bf634f80e4650fa33e33146a833
                                  • Instruction Fuzzy Hash: 5DA184B5A116009FD776DF64E448A2637B9F788348B04891AFAC9C334ED77EA940DF60
                                  Function 00DF29E0 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 00DF2A0F
                                  • HeapAlloc.KERNEL32(00000000), ref: 00DF2A16
                                  • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00DF2A2A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocNameProcessUser
                                  • String ID:
                                  • API String ID: 1206570057-0
                                  • Opcode ID: cf2c63bc678b7600acdbae6f0f632352e2c15b37b82390c714a2093cf4ddcfa0
                                  • Instruction ID: eab89935e4461bba05ce332b390c6f2f51e7f4e59ae573ada2478fa21d36e0ce
                                  • Opcode Fuzzy Hash: cf2c63bc678b7600acdbae6f0f632352e2c15b37b82390c714a2093cf4ddcfa0
                                  • Instruction Fuzzy Hash: 1BF0B4B1A40608AFC710DF98DD49BAABBBCF744B25F000226FA18E3680D7B9190487A1
                                  Function 00DF6710 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 633 df6710-df6717 634 df6b2e-df6bc2 LoadLibraryA * 8 633->634 635 df671d-df6b29 GetProcAddress * 43 633->635 636 df6c38-df6c3f 634->636 637 df6bc4-df6c33 GetProcAddress * 5 634->637 635->634 638 df6c45-df6cfd GetProcAddress * 8 636->638 639 df6d02-df6d09 636->639 637->636 638->639 640 df6d7f-df6d86 639->640 641 df6d0b-df6d7a GetProcAddress * 5 639->641 642 df6d8c-df6e14 GetProcAddress * 6 640->642 643 df6e19-df6e20 640->643 641->640 642->643 644 df6e26-df6f3b GetProcAddress * 12 643->644 645 df6f40-df6f47 643->645 644->645 646 df6fbd-df6fc4 645->646 647 df6f49-df6fb8 GetProcAddress * 5 645->647 648 df6fc6-df6fec GetProcAddress * 2 646->648 649 df6ff1-df6ff8 646->649 647->646 648->649 650 df6ffa-df7020 GetProcAddress * 2 649->650 651 df7025-df702c 649->651 650->651 652 df711d-df7124 651->652 653 df7032-df7118 GetProcAddress * 10 651->653 654 df7126-df717d GetProcAddress * 4 652->654 655 df7182-df7189 652->655 653->652 654->655 656 df719e-df71a5 655->656 657 df718b-df7199 GetProcAddress 655->657 658 df71a7-df71fe GetProcAddress * 4 656->658 659 df7203 656->659 657->656 658->659
                                  APIs
                                  • GetProcAddress.KERNEL32(75900000,00B37E38), ref: 00DF6725
                                  • GetProcAddress.KERNEL32(75900000,00B37E78), ref: 00DF673D
                                  • GetProcAddress.KERNEL32(75900000,00B31D10), ref: 00DF6756
                                  • GetProcAddress.KERNEL32(75900000,00B31B60), ref: 00DF676E
                                  • GetProcAddress.KERNEL32(75900000,00B31C80), ref: 00DF6786
                                  • GetProcAddress.KERNEL32(75900000,00B31C98), ref: 00DF679F
                                  • GetProcAddress.KERNEL32(75900000,00B39FA8), ref: 00DF67B7
                                  • GetProcAddress.KERNEL32(75900000,00B31E78), ref: 00DF67CF
                                  • GetProcAddress.KERNEL32(75900000,00B31E18), ref: 00DF67E8
                                  • GetProcAddress.KERNEL32(75900000,00B31EA8), ref: 00DF6800
                                  • GetProcAddress.KERNEL32(75900000,00B31E90), ref: 00DF6818
                                  • GetProcAddress.KERNEL32(75900000,00B37C98), ref: 00DF6831
                                  • GetProcAddress.KERNEL32(75900000,00B37C58), ref: 00DF6849
                                  • GetProcAddress.KERNEL32(75900000,00B37E58), ref: 00DF6861
                                  • GetProcAddress.KERNEL32(75900000,00B37E98), ref: 00DF687A
                                  • GetProcAddress.KERNEL32(75900000,00B31E30), ref: 00DF6892
                                  • GetProcAddress.KERNEL32(75900000,00B31DE8), ref: 00DF68AA
                                  • GetProcAddress.KERNEL32(75900000,00B3A020), ref: 00DF68C3
                                  • GetProcAddress.KERNEL32(75900000,00B37CF8), ref: 00DF68DB
                                  • GetProcAddress.KERNEL32(75900000,00B31E00), ref: 00DF68F3
                                  • GetProcAddress.KERNEL32(75900000,00B31E48), ref: 00DF690C
                                  • GetProcAddress.KERNEL32(75900000,00B31E60), ref: 00DF6924
                                  • GetProcAddress.KERNEL32(75900000,00B41678), ref: 00DF693C
                                  • GetProcAddress.KERNEL32(75900000,00B37EB8), ref: 00DF6955
                                  • GetProcAddress.KERNEL32(75900000,00B41588), ref: 00DF696D
                                  • GetProcAddress.KERNEL32(75900000,00B41498), ref: 00DF6985
                                  • GetProcAddress.KERNEL32(75900000,00B413F0), ref: 00DF699E
                                  • GetProcAddress.KERNEL32(75900000,00B414B0), ref: 00DF69B6
                                  • GetProcAddress.KERNEL32(75900000,00B41618), ref: 00DF69CE
                                  • GetProcAddress.KERNEL32(75900000,00B41510), ref: 00DF69E7
                                  • GetProcAddress.KERNEL32(75900000,00B41690), ref: 00DF69FF
                                  • GetProcAddress.KERNEL32(75900000,00B416A8), ref: 00DF6A17
                                  • GetProcAddress.KERNEL32(75900000,00B41450), ref: 00DF6A30
                                  • GetProcAddress.KERNEL32(75900000,00B34608), ref: 00DF6A48
                                  • GetProcAddress.KERNEL32(75900000,00B415E8), ref: 00DF6A60
                                  • GetProcAddress.KERNEL32(75900000,00B41420), ref: 00DF6A79
                                  • GetProcAddress.KERNEL32(75900000,00B37ED8), ref: 00DF6A91
                                  • GetProcAddress.KERNEL32(75900000,00B41570), ref: 00DF6AA9
                                  • GetProcAddress.KERNEL32(75900000,00B37EF8), ref: 00DF6AC2
                                  • GetProcAddress.KERNEL32(75900000,00B41438), ref: 00DF6ADA
                                  • GetProcAddress.KERNEL32(75900000,00B416C0), ref: 00DF6AF2
                                  • GetProcAddress.KERNEL32(75900000,00B37F18), ref: 00DF6B0B
                                  • GetProcAddress.KERNEL32(75900000,00B37F38), ref: 00DF6B23
                                  • LoadLibraryA.KERNEL32(00B41468,00DF067A), ref: 00DF6B35
                                  • LoadLibraryA.KERNEL32(00B41600), ref: 00DF6B46
                                  • LoadLibraryA.KERNEL32(00B41480), ref: 00DF6B58
                                  • LoadLibraryA.KERNEL32(00B41648), ref: 00DF6B6A
                                  • LoadLibraryA.KERNEL32(00B415D0), ref: 00DF6B7B
                                  • LoadLibraryA.KERNEL32(00B41408), ref: 00DF6B8D
                                  • LoadLibraryA.KERNEL32(00B414C8), ref: 00DF6B9F
                                  • LoadLibraryA.KERNEL32(00B414E0), ref: 00DF6BB0
                                  • GetProcAddress.KERNEL32(75FD0000,00B38058), ref: 00DF6BCC
                                  • GetProcAddress.KERNEL32(75FD0000,00B414F8), ref: 00DF6BE4
                                  • GetProcAddress.KERNEL32(75FD0000,00B3EEC8), ref: 00DF6BFD
                                  • GetProcAddress.KERNEL32(75FD0000,00B41540), ref: 00DF6C15
                                  • GetProcAddress.KERNEL32(75FD0000,00B381D8), ref: 00DF6C2D
                                  • GetProcAddress.KERNEL32(6FDB0000,00B3A3E0), ref: 00DF6C4D
                                  • GetProcAddress.KERNEL32(6FDB0000,00B38258), ref: 00DF6C65
                                  • GetProcAddress.KERNEL32(6FDB0000,00B3A098), ref: 00DF6C7E
                                  • GetProcAddress.KERNEL32(6FDB0000,00B41630), ref: 00DF6C96
                                  • GetProcAddress.KERNEL32(6FDB0000,00B41660), ref: 00DF6CAE
                                  • GetProcAddress.KERNEL32(6FDB0000,00B38158), ref: 00DF6CC7
                                  • GetProcAddress.KERNEL32(6FDB0000,00B381F8), ref: 00DF6CDF
                                  • GetProcAddress.KERNEL32(6FDB0000,00B415B8), ref: 00DF6CF7
                                  • GetProcAddress.KERNEL32(763B0000,00B38078), ref: 00DF6D13
                                  • GetProcAddress.KERNEL32(763B0000,00B38198), ref: 00DF6D2B
                                  • GetProcAddress.KERNEL32(763B0000,00B41528), ref: 00DF6D44
                                  • GetProcAddress.KERNEL32(763B0000,00B413D8), ref: 00DF6D5C
                                  • GetProcAddress.KERNEL32(763B0000,00B38178), ref: 00DF6D74
                                  • GetProcAddress.KERNEL32(750F0000,00B3A408), ref: 00DF6D94
                                  • GetProcAddress.KERNEL32(750F0000,00B3A070), ref: 00DF6DAC
                                  • GetProcAddress.KERNEL32(750F0000,00B41558), ref: 00DF6DC5
                                  • GetProcAddress.KERNEL32(750F0000,00B382B8), ref: 00DF6DDD
                                  • GetProcAddress.KERNEL32(750F0000,00B38318), ref: 00DF6DF5
                                  • GetProcAddress.KERNEL32(750F0000,00B3A340), ref: 00DF6E0E
                                  • GetProcAddress.KERNEL32(75A50000,00B415A0), ref: 00DF6E2E
                                  • GetProcAddress.KERNEL32(75A50000,00B382F8), ref: 00DF6E46
                                  • GetProcAddress.KERNEL32(75A50000,00B3EE98), ref: 00DF6E5F
                                  • GetProcAddress.KERNEL32(75A50000,00B41708), ref: 00DF6E77
                                  • GetProcAddress.KERNEL32(75A50000,00B41780), ref: 00DF6E8F
                                  • GetProcAddress.KERNEL32(75A50000,00B380B8), ref: 00DF6EA8
                                  • GetProcAddress.KERNEL32(75A50000,00B38238), ref: 00DF6EC0
                                  • GetProcAddress.KERNEL32(75A50000,00B41738), ref: 00DF6ED8
                                  • GetProcAddress.KERNEL32(75A50000,00B41720), ref: 00DF6EF1
                                  • GetProcAddress.KERNEL32(75A50000,CreateDesktopA), ref: 00DF6F07
                                  • GetProcAddress.KERNEL32(75A50000,OpenDesktopA), ref: 00DF6F1E
                                  • GetProcAddress.KERNEL32(75A50000,CloseDesktop), ref: 00DF6F35
                                  • GetProcAddress.KERNEL32(75070000,00B38358), ref: 00DF6F51
                                  • GetProcAddress.KERNEL32(75070000,00B41768), ref: 00DF6F69
                                  • GetProcAddress.KERNEL32(75070000,00B416D8), ref: 00DF6F82
                                  • GetProcAddress.KERNEL32(75070000,00B41798), ref: 00DF6F9A
                                  • GetProcAddress.KERNEL32(75070000,00B41750), ref: 00DF6FB2
                                  • GetProcAddress.KERNEL32(74E50000,00B38338), ref: 00DF6FCE
                                  • GetProcAddress.KERNEL32(74E50000,00B38398), ref: 00DF6FE6
                                  • GetProcAddress.KERNEL32(75320000,00B38038), ref: 00DF7002
                                  • GetProcAddress.KERNEL32(75320000,00B416F0), ref: 00DF701A
                                  • GetProcAddress.KERNEL32(6F060000,00B381B8), ref: 00DF703A
                                  • GetProcAddress.KERNEL32(6F060000,00B37FF8), ref: 00DF7052
                                  • GetProcAddress.KERNEL32(6F060000,00B38218), ref: 00DF706B
                                  • GetProcAddress.KERNEL32(6F060000,00B419A8), ref: 00DF7083
                                  • GetProcAddress.KERNEL32(6F060000,00B38098), ref: 00DF709B
                                  • GetProcAddress.KERNEL32(6F060000,00B380D8), ref: 00DF70B4
                                  • GetProcAddress.KERNEL32(6F060000,00B382D8), ref: 00DF70CC
                                  • GetProcAddress.KERNEL32(6F060000,00B380F8), ref: 00DF70E4
                                  • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 00DF70FB
                                  • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 00DF7112
                                  • GetProcAddress.KERNEL32(74E00000,00B418B8), ref: 00DF712E
                                  • GetProcAddress.KERNEL32(74E00000,00B3EF08), ref: 00DF7146
                                  • GetProcAddress.KERNEL32(74E00000,00B41858), ref: 00DF715F
                                  • GetProcAddress.KERNEL32(74E00000,00B41870), ref: 00DF7177
                                  • GetProcAddress.KERNEL32(74DF0000,00B38118), ref: 00DF7193
                                  • GetProcAddress.KERNEL32(6E330000,00B41900), ref: 00DF71AF
                                  • GetProcAddress.KERNEL32(6E330000,00B38138), ref: 00DF71C7
                                  • GetProcAddress.KERNEL32(6E330000,00B419C0), ref: 00DF71E0
                                  • GetProcAddress.KERNEL32(6E330000,00B41A80), ref: 00DF71F8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                                  • API String ID: 2238633743-3468015613
                                  • Opcode ID: 57508b57c1d1238786da8de97f83410d98125107cb735efc0feaec6f04af65d8
                                  • Instruction ID: eeaa40c24379db867736c70c9d691f164305462706df02f2254150a5fe557275
                                  • Opcode Fuzzy Hash: 57508b57c1d1238786da8de97f83410d98125107cb735efc0feaec6f04af65d8
                                  • Instruction Fuzzy Hash: 366254B5A106009FD776DF64E888A2637B9F788345B14891AFAD9C334ED77E9840DF20
                                  Function 00DEF300 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1164stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlenA.KERNEL32(00DFD014,00000001,00000000,00000000), ref: 00DEF32E
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DEF34C
                                  • lstrlenA.KERNEL32(00DFD014), ref: 00DEF357
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DEF371
                                  • lstrlenA.KERNEL32(00DFD014), ref: 00DEF37C
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DEF396
                                  • lstrcpy.KERNEL32(00000000,00E05560), ref: 00DEF3BE
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DEF3EC
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DEF422
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DEF454
                                  • lstrlenA.KERNEL32(00B37C38), ref: 00DEF476
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DEF506
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DEF52B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DEF5E2
                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 00DEF894
                                  • lstrlenA.KERNEL32(00B3EF48), ref: 00DEF8C2
                                  • lstrcpy.KERNEL32(00000000,00B3EF48), ref: 00DEF8EF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DEF912
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DEF966
                                  • lstrcpy.KERNEL32(00000000,00B3EF48), ref: 00DEFA28
                                  • lstrcpy.KERNEL32(00000000,00B3EEB8), ref: 00DEFA58
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DEFAB7
                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 00DEFBD5
                                  • lstrlenA.KERNEL32(00B3EE78), ref: 00DEFC03
                                  • lstrcpy.KERNEL32(00000000,00B3EE78), ref: 00DEFC30
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DEFC53
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DEFCA7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID: ERROR
                                  • API String ID: 367037083-2861137601
                                  • Opcode ID: 4e4412c0a1347e91b4724b9e726bff54c4fdd228ab1b6577aea038d649f7470e
                                  • Instruction ID: 8503d8d5a659bd46ef84c109215221408a11e0b0a1a3e65da36eddb8adae944a
                                  • Opcode Fuzzy Hash: 4e4412c0a1347e91b4724b9e726bff54c4fdd228ab1b6577aea038d649f7470e
                                  • Instruction Fuzzy Hash: C6A23D70A013819FC725EF26C448A2ABBE5EF44314F18857EE489CB366DB35DC42CB61
                                  Function 00DD6B80 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1889 dd6b80-dd6ba4 call dd2840 1892 dd6bb5-dd6bd7 call dd4ae0 1889->1892 1893 dd6ba6-dd6bab 1889->1893 1897 dd6bd9 1892->1897 1898 dd6bea-dd6bfa call dd2840 1892->1898 1893->1892 1894 dd6bad-dd6baf lstrcpy 1893->1894 1894->1892 1899 dd6be0-dd6be8 1897->1899 1902 dd6bfc-dd6c02 lstrcpy 1898->1902 1903 dd6c08-dd6c35 InternetOpenA StrCmpCA 1898->1903 1899->1898 1899->1899 1902->1903 1904 dd6c3a-dd6c3c 1903->1904 1905 dd6c37 1903->1905 1906 dd6de8-dd6dfb call dd2840 1904->1906 1907 dd6c42-dd6c62 InternetConnectA 1904->1907 1905->1904 1916 dd6dfd-dd6dff 1906->1916 1917 dd6e09-dd6e20 call dd2930 * 2 1906->1917 1908 dd6c68-dd6c9d HttpOpenRequestA 1907->1908 1909 dd6de1-dd6de2 InternetCloseHandle 1907->1909 1911 dd6dd4-dd6dde InternetCloseHandle 1908->1911 1912 dd6ca3-dd6ca5 1908->1912 1909->1906 1911->1909 1914 dd6cbd-dd6ced HttpSendRequestA HttpQueryInfoA 1912->1914 1915 dd6ca7-dd6cb7 InternetSetOptionA 1912->1915 1918 dd6cef-dd6d13 call df7210 call dd2930 * 2 1914->1918 1919 dd6d14-dd6d24 call df3d30 1914->1919 1915->1914 1916->1917 1920 dd6e01-dd6e03 lstrcpy 1916->1920 1919->1918 1930 dd6d26-dd6d28 1919->1930 1920->1917 1931 dd6dcd-dd6dce InternetCloseHandle 1930->1931 1932 dd6d2e-dd6d47 InternetReadFile 1930->1932 1931->1911 1932->1931 1934 dd6d4d 1932->1934 1936 dd6d50-dd6d55 1934->1936 1936->1931 1938 dd6d57-dd6d7d call df7340 1936->1938 1941 dd6d7f call dd2930 1938->1941 1942 dd6d84-dd6d91 call dd2840 1938->1942 1941->1942 1946 dd6da1-dd6dcb call dd2930 InternetReadFile 1942->1946 1947 dd6d93-dd6d97 1942->1947 1946->1931 1946->1936 1947->1946 1948 dd6d99-dd6d9b lstrcpy 1947->1948 1948->1946
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DD6BAF
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DD6C02
                                  • InternetOpenA.WININET(00DFD014,00000001,00000000,00000000,00000000), ref: 00DD6C15
                                  • StrCmpCA.SHLWAPI(?,00B3EC68), ref: 00DD6C2D
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00DD6C55
                                  • HttpOpenRequestA.WININET(00000000,GET,?,00B42A48,00000000,00000000,-00400100,00000000), ref: 00DD6C90
                                  • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00DD6CB7
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DD6CC6
                                  • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00DD6CE5
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00DD6D3F
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DD6D9B
                                  • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00DD6DBD
                                  • InternetCloseHandle.WININET(00000000), ref: 00DD6DCE
                                  • InternetCloseHandle.WININET(?), ref: 00DD6DD8
                                  • InternetCloseHandle.WININET(00000000), ref: 00DD6DE2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DD6E03
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                                  • String ID: ERROR$GET
                                  • API String ID: 3687753495-3591763792
                                  • Opcode ID: 180a866bf9372cc282c5c545dedaa2449bd2971a912e68f1eb736d7d45b188dd
                                  • Instruction ID: dbddd88e3f0e3b02782ec9ba8234c73d0c326721d7256b8c8c96e43d27ea814e
                                  • Opcode Fuzzy Hash: 180a866bf9372cc282c5c545dedaa2449bd2971a912e68f1eb736d7d45b188dd
                                  • Instruction Fuzzy Hash: 2A817F71A41219ABEB20DFA4DC45BAE77B9EF04700F14406AFA44E7381DB74EE458BB0
                                  Function 00DF26E0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1951 df26e0-df2723 GetWindowsDirectoryA 1952 df272c-df278a GetVolumeInformationA 1951->1952 1953 df2725 1951->1953 1954 df278c-df2792 1952->1954 1953->1952 1955 df27a9-df27c0 GetProcessHeap HeapAlloc 1954->1955 1956 df2794-df27a7 1954->1956 1957 df27c6-df27e4 wsprintfA 1955->1957 1958 df27c2-df27c4 1955->1958 1956->1954 1959 df27fb-df2812 call df7210 1957->1959 1958->1959
                                  APIs
                                  • GetWindowsDirectoryA.KERNEL32(?,00000104,?,00B31C38), ref: 00DF271B
                                  • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00DFA470,00000000,00000000,00000000,00000000,?,00B31C38), ref: 00DF274C
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,00B31C38), ref: 00DF27AF
                                  • HeapAlloc.KERNEL32(00000000,?,00B31C38), ref: 00DF27B6
                                  • wsprintfA.USER32 ref: 00DF27DB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocDirectoryInformationProcessVolumeWindowswsprintf
                                  • String ID: :\$C
                                  • API String ID: 1325379522-3309953409
                                  • Opcode ID: 13ea9f62488167a650be3005fa2dc92b8c3706af165ab6c21be5a5b981f8d41c
                                  • Instruction ID: 0924d3c64a0168bc63e1a536e962c733efb6140f761e679413a933f7d6a5e30b
                                  • Opcode Fuzzy Hash: 13ea9f62488167a650be3005fa2dc92b8c3706af165ab6c21be5a5b981f8d41c
                                  • Instruction Fuzzy Hash: 0A3161B1D482499FCB15DFB899859FFBFB8FF58700F11416AE645E7640E2348A008BB1
                                  Function 00DD5570 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1962 dd5570-dd55cf GetProcessHeap RtlAllocateHeap InternetOpenA InternetOpenUrlA 1963 dd5627-dd563d InternetCloseHandle * 2 1962->1963 1964 dd55d1-dd55d2 1962->1964 1965 dd563f-dd564d 1963->1965 1966 dd56a7-dd56b1 1963->1966 1967 dd55d8-dd55f7 InternetReadFile 1964->1967 1968 dd564f-dd5652 1965->1968 1969 dd5677-dd567c 1965->1969 1970 dd55f9 1967->1970 1971 dd5623-dd5626 1967->1971 1968->1969 1973 dd5654-dd565a 1968->1973 1969->1966 1974 dd567e-dd5681 1969->1974 1972 dd5600-dd561d KiUserExceptionDispatcher 1970->1972 1971->1963 1972->1972 1975 dd561f-dd5621 1972->1975 1976 dd565c 1973->1976 1977 dd5661-dd5672 1973->1977 1974->1966 1978 dd5683-dd5689 1974->1978 1975->1967 1975->1971 1976->1977 1977->1969 1979 dd5674 1977->1979 1980 dd568b 1978->1980 1981 dd5691-dd56a2 1978->1981 1979->1969 1980->1981 1981->1966 1982 dd56a4 1981->1982 1982->1966
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00DD5589
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00DD5590
                                  • InternetOpenA.WININET(00DFD014,00000000,00000000,00000000,00000000), ref: 00DD55A6
                                  • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,04000100,00000000), ref: 00DD55C1
                                  • InternetReadFile.WININET(?,?,00000400,00000001), ref: 00DD55EC
                                  • KiUserExceptionDispatcher.NTDLL(00000000,?,00000001), ref: 00DD5611
                                  • InternetCloseHandle.WININET(?), ref: 00DD562B
                                  • InternetCloseHandle.WININET(00000000), ref: 00DD5632
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHeapOpen$AllocateDispatcherExceptionFileProcessReadUser
                                  • String ID:
                                  • API String ID: 1337183907-0
                                  • Opcode ID: 75b1e9cdd60440e0495054e29e68e9dd2c36665aaa06e6a2de94b591fc389a3d
                                  • Instruction ID: 07602b1179752825afe6b4835a9869bcb0caaccd38429eab16bd56630d68fd5d
                                  • Opcode Fuzzy Hash: 75b1e9cdd60440e0495054e29e68e9dd2c36665aaa06e6a2de94b591fc389a3d
                                  • Instruction Fuzzy Hash: AC418E70A00604AFDB25CF54D848FAAB7B4FF48308F5880AAE6489B395D776D941CFA4
                                  Function 00DF1BD0 Relevance: 12.1, APIs: 8, Instructions: 106COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc
                                  • String ID:
                                  • API String ID: 190572456-0
                                  • Opcode ID: 42c4a568ed3f031132aa0bfca3d7f91b27c513a33eaad1d8e9eca624a44940fe
                                  • Instruction ID: 2adefc7d93a8ebd0dc957245d2a05bcad1bff640ff2886d374968343982b4ccb
                                  • Opcode Fuzzy Hash: 42c4a568ed3f031132aa0bfca3d7f91b27c513a33eaad1d8e9eca624a44940fe
                                  • Instruction Fuzzy Hash: C831703194060A9BCB21ABB4CC8567F76AAEF10740F098026B645E7256DB35ED058BB1
                                  Function 00DD4AE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2035 dd4ae0-dd4aee 2036 dd4af0-dd4af5 2035->2036 2036->2036 2037 dd4af7-dd4b68 ??2@YAPAXI@Z * 3 lstrlenA InternetCrackUrlA call dd2930 2036->2037
                                  APIs
                                  • ??2@YAPAXI@Z.MSVCRT(00000800,00B3EE68), ref: 00DD4B17
                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00DD4B21
                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00DD4B2B
                                  • lstrlenA.KERNEL32(?,00000000,?), ref: 00DD4B3F
                                  • InternetCrackUrlA.WININET(?,00000000), ref: 00DD4B47
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??2@$CrackInternetlstrlen
                                  • String ID: <
                                  • API String ID: 1683549937-4251816714
                                  • Opcode ID: b0b094d9c6bb63a1d35614d3ad734e85fa15043f5eb99fa4b1ba375fffa7a8c6
                                  • Instruction ID: c1ca5cc55756b04c74f04d7c7daad8b1308a759fdb388ca3244978f3587aa586
                                  • Opcode Fuzzy Hash: b0b094d9c6bb63a1d35614d3ad734e85fa15043f5eb99fa4b1ba375fffa7a8c6
                                  • Instruction Fuzzy Hash: 6C012D71D00218ABDB14DFA8E845B9EBBB8EB08360F00812AF954E7390DB7459058FD4
                                  Function 00DF28B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2040 df28b0-df28f3 GetProcessHeap HeapAlloc RegOpenKeyExA 2041 df290b-df291e RegCloseKey 2040->2041 2042 df28f5-df2905 RegQueryValueExA 2040->2042 2043 df2931-df2934 2041->2043 2044 df2920-df292f 2041->2044 2042->2041 2044->2043 2044->2044
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00DF28C5
                                  • HeapAlloc.KERNEL32(00000000), ref: 00DF28CC
                                  • RegOpenKeyExA.KERNEL32(80000002,00B3B5F0,00000000,00020119,00DF2849), ref: 00DF28EB
                                  • RegQueryValueExA.KERNEL32(00DF2849,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00DF2905
                                  • RegCloseKey.ADVAPI32(00DF2849), ref: 00DF290F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocCloseOpenProcessQueryValue
                                  • String ID: CurrentBuildNumber
                                  • API String ID: 3466090806-1022791448
                                  • Opcode ID: fef0c9cc2508ea384d8a66a1f5f212a6dff87e70e0ca3d2917a9c540ca520c04
                                  • Instruction ID: 82a5c4b84cfcdcd53c8d554c51aac72fc14bbdcd798aa02f11850b0a4aece624
                                  • Opcode Fuzzy Hash: fef0c9cc2508ea384d8a66a1f5f212a6dff87e70e0ca3d2917a9c540ca520c04
                                  • Instruction Fuzzy Hash: 50012475A40318AFD321CBA0DC58EFB7BBCEB08705F108099FF85D7285EA7259048BA0
                                  Function 00DF2820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2045 df2820-df284e GetProcessHeap HeapAlloc call df28b0 2048 df285a-df2879 RegOpenKeyExA 2045->2048 2049 df2850-df2859 2045->2049 2050 df287b-df288c RegQueryValueExA 2048->2050 2051 df2892-df28a2 RegCloseKey 2048->2051 2050->2051
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00DF2835
                                  • HeapAlloc.KERNEL32(00000000), ref: 00DF283C
                                    • Part of subcall function 00DF28B0: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00DF28C5
                                    • Part of subcall function 00DF28B0: HeapAlloc.KERNEL32(00000000), ref: 00DF28CC
                                    • Part of subcall function 00DF28B0: RegOpenKeyExA.KERNEL32(80000002,00B3B5F0,00000000,00020119,00DF2849), ref: 00DF28EB
                                    • Part of subcall function 00DF28B0: RegQueryValueExA.KERNEL32(00DF2849,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00DF2905
                                    • Part of subcall function 00DF28B0: RegCloseKey.ADVAPI32(00DF2849), ref: 00DF290F
                                  • RegOpenKeyExA.KERNEL32(80000002,00B3B5F0,00000000,00020119,?), ref: 00DF2871
                                  • RegQueryValueExA.KERNEL32(?,00B41BD0,00000000,00000000,00000000,000000FF), ref: 00DF288C
                                  • RegCloseKey.ADVAPI32(?), ref: 00DF2896
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocCloseOpenProcessQueryValue
                                  • String ID: Windows 11
                                  • API String ID: 3466090806-2517555085
                                  • Opcode ID: 6459e0886bd614b6910f95a28ceefa5598bdddd4b4f64a7f2b6994126f440c17
                                  • Instruction ID: 9a8a0e04882c556f03ec4934ef689c1f865bcfc3e7f8d3fd72f2313f298f2da4
                                  • Opcode Fuzzy Hash: 6459e0886bd614b6910f95a28ceefa5598bdddd4b4f64a7f2b6994126f440c17
                                  • Instruction Fuzzy Hash: 6A01A271A0020CBFD720DBA4AC49EBB777CEB44715F008159FF48D6285D67559408BA0
                                  Function 00DEEFE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2052 deefe0-def005 call dd2840 2055 def019-def01d call dd6b80 2052->2055 2056 def007-def00f 2052->2056 2059 def022-def038 StrCmpCA 2055->2059 2056->2055 2057 def011-def013 lstrcpy 2056->2057 2057->2055 2060 def03a-def052 call dd2930 call dd2840 2059->2060 2061 def061-def068 call dd2930 2059->2061 2071 def054-def05c 2060->2071 2072 def095-def0f0 call dd2930 * 10 2060->2072 2066 def070-def078 2061->2066 2066->2066 2068 def07a-def087 call dd2840 2066->2068 2068->2072 2076 def089 2068->2076 2071->2072 2075 def05e-def05f 2071->2075 2078 def08e-def08f lstrcpy 2075->2078 2076->2078 2078->2072
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DEF013
                                  • StrCmpCA.SHLWAPI(?,ERROR,?,?,?,?,?,?,?,?,?,00DEF54D), ref: 00DEF02E
                                  • lstrcpy.KERNEL32(00000000,ERROR), ref: 00DEF08F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID: ERROR
                                  • API String ID: 3722407311-2861137601
                                  • Opcode ID: d66ce3a2a8c6be6e49636bd444eb3959e35304d59f3fec7abff8c320720bd23a
                                  • Instruction ID: 92918235000bde68e2650f1e810aaa3113885b7a8d216c75ef25f30be3ad1ad8
                                  • Opcode Fuzzy Hash: d66ce3a2a8c6be6e49636bd444eb3959e35304d59f3fec7abff8c320720bd23a
                                  • Instruction Fuzzy Hash: D0211D71A502869BCB24BF79D8567AF37A4EF14300F444529B88DDB353EA30DE518BB0
                                  Function 00DF2A70 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2097 df2a70-df2ac2 GetProcessHeap HeapAlloc GetComputerNameA 2098 df2ae4-df2af9 2097->2098 2099 df2ac4-df2ad6 2097->2099
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00DF2A9F
                                  • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00DF2AA6
                                  • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00DF2ABA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocComputerNameProcess
                                  • String ID:
                                  • API String ID: 4203777966-0
                                  • Opcode ID: 96bf909a6722fe00259684bea0b26dfd707b30b741bd666a929d72e02524e611
                                  • Instruction ID: 126bd7bab7b66e8dcaa6a0179ee3cd60bc85787213eb5bb665e62eee9fcf5df2
                                  • Opcode Fuzzy Hash: 96bf909a6722fe00259684bea0b26dfd707b30b741bd666a929d72e02524e611
                                  • Instruction Fuzzy Hash: 9A01D672A44648AFD720CF99EC45BAAF7BCF744B25F00426AFA19E3780D779190487A1
                                  Function 00DEEF30 Relevance: 1.3, APIs: 1, Instructions: 50stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DEEF62
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: 04067088f38f6ce22f5c14a89d714d1f0c7b86391b9fdd6fe78d782fe65b5b0d
                                  • Instruction ID: 7a6a95fa429edc4af1fea5e2d52517d89fc95b9f2db5d99a4b33c87cf73f149d
                                  • Opcode Fuzzy Hash: 04067088f38f6ce22f5c14a89d714d1f0c7b86391b9fdd6fe78d782fe65b5b0d
                                  • Instruction Fuzzy Hash: CE11C0706601499BDB24FF79DC96AEE37A4EF54340F804125B8888B352DA34EE558BF1

                                  Non-executed Functions

                                  Function 00DD6000 Relevance: 128.6, APIs: 68, Strings: 5, Instructions: 817stringnetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DD602F
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DD6082
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DD60B5
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DD60E5
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DD6120
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DD6153
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00DD6163
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$InternetOpen
                                  • String ID: "$------$LP$LP$LP
                                  • API String ID: 2041821634-2504685677
                                  • Opcode ID: 50fa73f80ec6d84585a1eee73139d021f1e98f9f51a13f178f20e97acb4bb461
                                  • Instruction ID: 5320c1eb8311a638a41d0ceeba661c2a8ff4d53d2418d36e5fa2f3ea263b7086
                                  • Opcode Fuzzy Hash: 50fa73f80ec6d84585a1eee73139d021f1e98f9f51a13f178f20e97acb4bb461
                                  • Instruction Fuzzy Hash: 33523E71A002159FDB21AFB4DC49AAE77B9EF44304F198026F945A7356DB35ED028BF0
                                  Function 00DD97A0 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 235stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 00DD97C4
                                  • lstrcatA.KERNEL32(?,?), ref: 00DD97D8
                                  • lstrcatA.KERNEL32(?,?), ref: 00DD97ED
                                  • lstrcatA.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 00DD9800
                                  • memset.MSVCRT ref: 00DD9815
                                    • Part of subcall function 00DF3E10: lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DF3E45
                                    • Part of subcall function 00DF3E10: lstrcpy.KERNEL32(00000000,00B34638), ref: 00DF3E6F
                                    • Part of subcall function 00DF3E10: GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00DD4D2A,?,00000014), ref: 00DF3E79
                                  • wsprintfA.USER32 ref: 00DD9846
                                  • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00DD9869
                                  • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00DD9888
                                  • memset.MSVCRT ref: 00DD98A6
                                  • lstrcatA.KERNEL32(?,?,?,00000000,00000103), ref: 00DD98BB
                                  • lstrcatA.KERNEL32(?,?), ref: 00DD98CD
                                  • lstrcatA.KERNEL32(?,00E05120), ref: 00DD98DD
                                  • memset.MSVCRT ref: 00DD98F2
                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00DD991A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DD9950
                                  • StrStrA.SHLWAPI(?,00B41F00), ref: 00DD9965
                                  • lstrcpyn.KERNEL32(010093D0,?,00000000), ref: 00DD9982
                                  • lstrlenA.KERNEL32(?), ref: 00DD9996
                                  • wsprintfA.USER32 ref: 00DD99A6
                                  • lstrcpy.KERNEL32(?,?), ref: 00DD99BD
                                  • memset.MSVCRT ref: 00DD99D3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$memset$lstrcpy$Desktopwsprintf$CreateFolderOpenPathSystemTimelstrcpynlstrlen
                                  • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                                  • API String ID: 3051782728-1862457068
                                  • Opcode ID: 24fa888cedf39cc7c77df764ab2060d25c520fae5b9bd9d0ea66c18ca84be311
                                  • Instruction ID: d982caefa5d94a113a69c137f73039233ad6c739370aa646d8d3a79468d1b942
                                  • Opcode Fuzzy Hash: 24fa888cedf39cc7c77df764ab2060d25c520fae5b9bd9d0ea66c18ca84be311
                                  • Instruction Fuzzy Hash: FE917271614340AFE721EF74DC45FAB77E8EF88704F10891DB68987281DB75AA048BB6
                                  Function 00DF46C0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00DF46D9
                                  • Process32First.KERNEL32(00000000,00000128), ref: 00DF46E9
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 00DF46FB
                                  • StrCmpCA.SHLWAPI(?,?), ref: 00DF470D
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DF4722
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00DF4731
                                  • CloseHandle.KERNEL32(00000000), ref: 00DF4738
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 00DF4746
                                  • CloseHandle.KERNEL32(00000000), ref: 00DF4751
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 3836391474-0
                                  • Opcode ID: 9244ce046102b287f64632f761df8685c5b3f9081fafea73cc3ae7fdaa0bffb6
                                  • Instruction ID: ab380c7ac04a3cfb68582d9b8db931036bf19cfe5dc424a46cdc099956bdd613
                                  • Opcode Fuzzy Hash: 9244ce046102b287f64632f761df8685c5b3f9081fafea73cc3ae7fdaa0bffb6
                                  • Instruction Fuzzy Hash: 7901A1315011186BE732AB609C8CFFB377CAB45B41F048199FA8995184EF7999818BB0
                                  Function 00DD7690 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00DD769E
                                  • HeapAlloc.KERNEL32(00000000), ref: 00DD76A5
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00DD76CD
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 00DD76ED
                                  • LocalFree.KERNEL32(?), ref: 00DD76F7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                  • String ID:
                                  • API String ID: 3657800372-0
                                  • Opcode ID: 7434553a11e9a450663165e176acda182c19b58e3324636137ebea65e0030a20
                                  • Instruction ID: ab2a180a66618947b9a5bf79e2dc1d28a217ee7a1c50b5e05e448f85cdd09b92
                                  • Opcode Fuzzy Hash: 7434553a11e9a450663165e176acda182c19b58e3324636137ebea65e0030a20
                                  • Instruction Fuzzy Hash: 3D012575B403087FEB20DB94DC4AFAA7778EB44B15F108155FB49EB2C4D6B59900C7A0
                                  Function 00DF4090 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 00DF40AD
                                  • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 00DF40BC
                                  • HeapAlloc.KERNEL32(00000000,?,?,?), ref: 00DF40C3
                                  • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00DF40F3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptHeapString$AllocProcess
                                  • String ID:
                                  • API String ID: 3939037734-0
                                  • Opcode ID: 863ea78739d59a2d3230347994b2d23b4c62d2c009fb7f64c33f3aa49e2b19e7
                                  • Instruction ID: 73a5cfa366c4648f4f3c5d7257c1884ff006bb263b53ee7d924eda73a03f9433
                                  • Opcode Fuzzy Hash: 863ea78739d59a2d3230347994b2d23b4c62d2c009fb7f64c33f3aa49e2b19e7
                                  • Instruction Fuzzy Hash: 54011A70600209ABDB20DFA5DC89BABBBADEF85315F108069BE4987240DA759D408B60
                                  Function 00DD9BE0 Relevance: 6.0, APIs: 4, Instructions: 43memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00DD9BFF
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00DD9C13
                                  • memcpy.MSVCRT(00000000,?), ref: 00DD9C2A
                                  • LocalFree.KERNEL32(?), ref: 00DD9C37
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                  • String ID:
                                  • API String ID: 3243516280-0
                                  • Opcode ID: 6c81be1517a2a3e5cea9a578572044636fde364b79a22a85a0f3e71e559da163
                                  • Instruction ID: 0b9da6c2000cc9f4f024e34d5af8ad58481387685553798a966f4140f0985fda
                                  • Opcode Fuzzy Hash: 6c81be1517a2a3e5cea9a578572044636fde364b79a22a85a0f3e71e559da163
                                  • Instruction Fuzzy Hash: 1701FB75A41309ABD7109BA4DC55BAAB778EB44700F104159FA04AB384D7B59A00CBE0
                                  Function 00DD9B80 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00DD9B9B
                                  • LocalAlloc.KERNEL32(00000040,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00DD9BAA
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00DD9BC1
                                  • LocalFree.KERNEL32(?,?,00000000,00000001,00000000,?,00000000,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00DD9BD0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptLocalString$AllocFree
                                  • String ID:
                                  • API String ID: 4291131564-0
                                  • Opcode ID: 10a217fbd58deb283ba692d5b12f40aab30dd52af6fc8abadca61f2dfc9c3416
                                  • Instruction ID: cc0ff1094ec71f2992cf4ca442d3befa8122e2e54cbf2ef23fdb31d5cd6cfc89
                                  • Opcode Fuzzy Hash: 10a217fbd58deb283ba692d5b12f40aab30dd52af6fc8abadca61f2dfc9c3416
                                  • Instruction Fuzzy Hash: 04F030703403126FF7315F24AC59FA77BA8EF04B50F260415FA49EA2C4D7BA9840CBA4
                                  Function 00DF3E10 Relevance: 4.6, APIs: 3, Instructions: 124stringtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DF3E45
                                  • lstrcpy.KERNEL32(00000000,00B34638), ref: 00DF3E6F
                                  • GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00DD4D2A,?,00000014), ref: 00DF3E79
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$SystemTime
                                  • String ID:
                                  • API String ID: 684065273-0
                                  • Opcode ID: c6342352f8bc2866b7aabc8c3f1a8483df7a028f066ffdae21bf237c4b2bfd16
                                  • Instruction ID: f773308ee0c40dcfab2a124cf949419b52152692f33afd132eee98a4029cc139
                                  • Opcode Fuzzy Hash: c6342352f8bc2866b7aabc8c3f1a8483df7a028f066ffdae21bf237c4b2bfd16
                                  • Instruction Fuzzy Hash: 33415B70E012499FDB25CF29C484666BBA5FF08314F0AC4AEE989DB352C676DD42CB60
                                  Function 00DD1070 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 278stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 00DD108A
                                    • Part of subcall function 00DD1000: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DD1015
                                    • Part of subcall function 00DD1000: HeapAlloc.KERNEL32(00000000), ref: 00DD101C
                                    • Part of subcall function 00DD1000: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00DD1039
                                    • Part of subcall function 00DD1000: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00DD1053
                                    • Part of subcall function 00DD1000: RegCloseKey.ADVAPI32(?), ref: 00DD105D
                                  • lstrcatA.KERNEL32(?,00000000), ref: 00DD10A0
                                  • lstrlenA.KERNEL32(?), ref: 00DD10AD
                                  • lstrcatA.KERNEL32(?,.keys), ref: 00DD10C8
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DD10FF
                                  • lstrlenA.KERNEL32(00B3EBB8), ref: 00DD110D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DD1131
                                  • lstrcatA.KERNEL32(00000000,00B3EBB8), ref: 00DD1139
                                  • lstrlenA.KERNEL32(\Monero\wallet.keys), ref: 00DD1144
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DD1168
                                  • lstrcatA.KERNEL32(00000000,\Monero\wallet.keys), ref: 00DD1174
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DD119A
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DD11DF
                                  • lstrlenA.KERNEL32(00B41888), ref: 00DD11EE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DD1215
                                  • lstrcatA.KERNEL32(00000000,?), ref: 00DD121D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DD1258
                                  • lstrcatA.KERNEL32(00000000), ref: 00DD1265
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DD128C
                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 00DD12B5
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DD12E1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DD131D
                                    • Part of subcall function 00DEEF30: lstrcpy.KERNEL32(00000000,?), ref: 00DEEF62
                                  • DeleteFileA.KERNEL32(?), ref: 00DD1351
                                  • memset.MSVCRT ref: 00DD136E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$FileHeapmemset$AllocCloseCopyDeleteOpenProcessQueryValue
                                  • String ID: .keys$\Monero\wallet.keys
                                  • API String ID: 2734118222-3586502688
                                  • Opcode ID: 61f77ddd743c7c93ce789da3d68679c94fefe825f7fcae6958d28d40acc5d6ed
                                  • Instruction ID: 8c7e9885406cfa74f0aa0bb0c3c311c84250e36f700aa8ab2d3b239e7e3bcefa
                                  • Opcode Fuzzy Hash: 61f77ddd743c7c93ce789da3d68679c94fefe825f7fcae6958d28d40acc5d6ed
                                  • Instruction Fuzzy Hash: 81A17F75A01205ABCB21EFB4DC4AAAE7BB9EF44300F484026F945E7356DB35DE458BB0
                                  Function 00DD92E0 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 365stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00DD90F0: InternetOpenA.WININET(00DFD014,00000001,00000000,00000000,00000000), ref: 00DD910F
                                    • Part of subcall function 00DD90F0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00DD912C
                                    • Part of subcall function 00DD90F0: InternetCloseHandle.WININET(00000000), ref: 00DD9139
                                    • Part of subcall function 00DD90F0: strlen.MSVCRT ref: 00DD9155
                                  • strlen.MSVCRT ref: 00DD9311
                                  • strlen.MSVCRT ref: 00DD932A
                                    • Part of subcall function 00DE7EB0: memchr.MSVCRT ref: 00DE7EEF
                                    • Part of subcall function 00DE7EB0: memcmp.MSVCRT(00000000,?,?,?,"webSocketDebuggerUrl":,00000000), ref: 00DE7F09
                                    • Part of subcall function 00DE7EB0: memchr.MSVCRT ref: 00DE7F28
                                    • Part of subcall function 00DD89B0: std::_Xinvalid_argument.LIBCPMT ref: 00DD89C6
                                  • memset.MSVCRT ref: 00DD9371
                                  • lstrcatA.KERNEL32(?,ws://localhost:9229), ref: 00DD938C
                                  • lstrcatA.KERNEL32(?,00000000), ref: 00DD93A2
                                  • strlen.MSVCRT ref: 00DD93C9
                                  • strlen.MSVCRT ref: 00DD9416
                                  • memcmp.MSVCRT(?,00DFD014,?), ref: 00DD943B
                                  • memset.MSVCRT ref: 00DD9562
                                  • lstrcatA.KERNEL32(?,cookies), ref: 00DD9577
                                  • lstrcatA.KERNEL32(?,00E01D5C), ref: 00DD9589
                                  • lstrcatA.KERNEL32(?,?), ref: 00DD959A
                                  • lstrcatA.KERNEL32(?,00E05158), ref: 00DD95AC
                                  • lstrcatA.KERNEL32(?,?), ref: 00DD95BD
                                  • lstrcatA.KERNEL32(?,.txt), ref: 00DD95CF
                                  • lstrlenA.KERNEL32(?), ref: 00DD95E6
                                  • lstrlenA.KERNEL32(?), ref: 00DD960B
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DD9644
                                  • memset.MSVCRT ref: 00DD968C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$strlen$Internetmemset$Openlstrlenmemchrmemcmp$CloseHandleXinvalid_argumentlstrcpystd::_
                                  • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                  • API String ID: 2819545660-3542011879
                                  • Opcode ID: e0bc7acb4988941ffeafd2a7c5d8bcda35a8f4049e9220ff24961aba128ed716
                                  • Instruction ID: 8423bb88a2c67ad4648a46f55930a64607b29cf8c43cf2164eaedc4506993bb6
                                  • Opcode Fuzzy Hash: e0bc7acb4988941ffeafd2a7c5d8bcda35a8f4049e9220ff24961aba128ed716
                                  • Instruction Fuzzy Hash: A4E10771E10218EFDF14DFA8C894AEEBBB5BF48310F50446AE549A7341DB35AA45CFA0
                                  Function 00DF1800 Relevance: 37.8, APIs: 25, Instructions: 269stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DF182F
                                  • lstrlenA.KERNEL32(00B2FAE0,00000000,00000000,?,?,00DF1B61), ref: 00DF1840
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DF1867
                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 00DF1872
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DF18A1
                                  • lstrlenA.KERNEL32(00E05560,?,?,00DF1B61), ref: 00DF18B3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DF18D4
                                  • lstrcatA.KERNEL32(00000000,00E05560,?,?,00DF1B61), ref: 00DF18E0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DF190F
                                  • lstrlenA.KERNEL32(00B26660,?,?,00DF1B61), ref: 00DF1925
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DF194C
                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 00DF1957
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DF1986
                                  • lstrlenA.KERNEL32(00E05560,?,?,00DF1B61), ref: 00DF1998
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DF19B9
                                  • lstrcatA.KERNEL32(00000000,00E05560,?,?,00DF1B61), ref: 00DF19C5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DF19F4
                                  • lstrlenA.KERNEL32(00B32FC8,?,?,00DF1B61), ref: 00DF1A0A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DF1A31
                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 00DF1A3C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DF1A6B
                                  • lstrlenA.KERNEL32(00B32FD8,?,?,00DF1B61), ref: 00DF1A81
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DF1AA8
                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 00DF1AB3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DF1AE2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1049500425-0
                                  • Opcode ID: 6e64140a374f632d1c6e46b845587deb37fa692a5f4db765abd21a464d24ca5e
                                  • Instruction ID: 536682431428d735f2055f793e7f2bcffed757fb7c9fe49e4cff13221aa4ad9b
                                  • Opcode Fuzzy Hash: 6e64140a374f632d1c6e46b845587deb37fa692a5f4db765abd21a464d24ca5e
                                  • Instruction Fuzzy Hash: 68917DB4600307EBD721AFB5C898A37B7EDEF14344F19882AA9D5C3252DB79D9418B70
                                  Function 00DE8D00 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 174stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • StrCmpCA.SHLWAPI(?,block,?,?,?,?,00DF081F), ref: 00DE8D1A
                                  • ExitProcess.KERNEL32 ref: 00DE8D27
                                  • strtok_s.MSVCRT ref: 00DE8D39
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcessstrtok_s
                                  • String ID: block
                                  • API String ID: 3407564107-2199623458
                                  • Opcode ID: 05560509b05bebb1fabedfbafceb59844418d5e365da55212f2ab58d1d17f674
                                  • Instruction ID: 4a19bcffabe9376291859cd27166e6e6efc0341f6a636053bf043b03bab7fc67
                                  • Opcode Fuzzy Hash: 05560509b05bebb1fabedfbafceb59844418d5e365da55212f2ab58d1d17f674
                                  • Instruction Fuzzy Hash: 6B517DB15087819FC721AF76D884A2BBBF5FF04704B00481EF48AD2661DF79D941AB71
                                  Function 00DD90F0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 161networkstringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenA.WININET(00DFD014,00000001,00000000,00000000,00000000), ref: 00DD910F
                                  • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00DD912C
                                  • InternetCloseHandle.WININET(00000000), ref: 00DD9139
                                  • strlen.MSVCRT ref: 00DD9155
                                  • InternetReadFile.WININET(?,?,?,00000000), ref: 00DD9196
                                  • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00DD91C7
                                  • InternetCloseHandle.WININET(00000000), ref: 00DD91D2
                                  • InternetCloseHandle.WININET(00000000), ref: 00DD91D9
                                  • strlen.MSVCRT ref: 00DD91EA
                                  • strlen.MSVCRT ref: 00DD921D
                                  • strlen.MSVCRT ref: 00DD925E
                                    • Part of subcall function 00DE7EB0: memchr.MSVCRT ref: 00DE7EEF
                                    • Part of subcall function 00DE7EB0: memcmp.MSVCRT(00000000,?,?,?,"webSocketDebuggerUrl":,00000000), ref: 00DE7F09
                                    • Part of subcall function 00DE7EB0: memchr.MSVCRT ref: 00DE7F28
                                  • strlen.MSVCRT ref: 00DD927C
                                    • Part of subcall function 00DD89B0: std::_Xinvalid_argument.LIBCPMT ref: 00DD89C6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$strlen$CloseHandle$FileOpenReadmemchr$Xinvalid_argumentmemcmpstd::_
                                  • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                  • API String ID: 4166274400-2144369209
                                  • Opcode ID: 332cafc9a42e5e027aef000924bfca927381f2ed7fe953cc887a509ba2856312
                                  • Instruction ID: 4f23821d3531a96f69ed3cf9ef91ecb4313242a4a29615a13695dc46bc5aca3a
                                  • Opcode Fuzzy Hash: 332cafc9a42e5e027aef000924bfca927381f2ed7fe953cc887a509ba2856312
                                  • Instruction Fuzzy Hash: F351A871A00305ABDB20DBA8DC45BEEF7F9DB48710F14416AF605E3380DBB5A9458BB5
                                  Function 00DD7710 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringregistrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00DD7745
                                  • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 00DD778A
                                  • strlen.MSVCRT ref: 00DD77BE
                                  • StrStrA.SHLWAPI(?,Password), ref: 00DD77F8
                                  • strlen.MSVCRT ref: 00DD788D
                                    • Part of subcall function 00DD7690: GetProcessHeap.KERNEL32(00000008,00000400), ref: 00DD769E
                                    • Part of subcall function 00DD7690: HeapAlloc.KERNEL32(00000000), ref: 00DD76A5
                                    • Part of subcall function 00DD7690: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00DD76CD
                                    • Part of subcall function 00DD7690: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 00DD76ED
                                    • Part of subcall function 00DD7690: LocalFree.KERNEL32(?), ref: 00DD76F7
                                  • strcpy_s.MSVCRT ref: 00DD7821
                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DD782C
                                  • HeapFree.KERNEL32(00000000), ref: 00DD7833
                                  • strlen.MSVCRT ref: 00DD7840
                                  • strcpy_s.MSVCRT ref: 00DD786A
                                  • strlen.MSVCRT ref: 00DD78B4
                                  • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00DD7975
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heapstrlen$EnumFreeProcessValuestrcpy_s$AllocByteCharCryptDataLocalMultiOpenUnprotectWide
                                  • String ID: Password
                                  • API String ID: 3893107980-3434357891
                                  • Opcode ID: 7749e20cadf00195f19e6939985875b2919aff54a3bdfa4bfcf6a0920b4a8f47
                                  • Instruction ID: 4fdc3d6cf584d047c55e6a6cefa12d00124e282a4c056776ee8e18c0ddbd61e5
                                  • Opcode Fuzzy Hash: 7749e20cadf00195f19e6939985875b2919aff54a3bdfa4bfcf6a0920b4a8f47
                                  • Instruction Fuzzy Hash: 2781FFB1D0021DAFDB10DF94D8849EEB7B9FF48310F1485AAE509E7250EB359A85CFA1
                                  Function 00DEF100 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DEF134
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DEF162
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,?,?,?,?,?,?,?,?,?,?,?,?,00DEF67A), ref: 00DEF176
                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00DEF67A), ref: 00DEF185
                                  • LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,?,?,?,?,?,?,?,00DEF67A), ref: 00DEF1A3
                                  • StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00DEF67A), ref: 00DEF1D1
                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00DEF67A), ref: 00DEF1E4
                                  • strtok.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,00DEF67A), ref: 00DEF1F6
                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DEF67A), ref: 00DEF202
                                  • lstrcpy.KERNEL32(00000000,ERROR), ref: 00DEF24F
                                  • lstrcpy.KERNEL32(00000000,ERROR), ref: 00DEF28F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$AllocLocalstrtok
                                  • String ID: ERROR
                                  • API String ID: 2137491262-2861137601
                                  • Opcode ID: c9d7c465f2ffeb22d4d9b8451fb890c1f0cdaa8e5b5b28d6cad54396fa5ed68c
                                  • Instruction ID: 94a2909421089ed532cbf749f2d702cda25c45f8a90118eb3c8f6417f4fd4436
                                  • Opcode Fuzzy Hash: c9d7c465f2ffeb22d4d9b8451fb890c1f0cdaa8e5b5b28d6cad54396fa5ed68c
                                  • Instruction Fuzzy Hash: 04517D359102859FCB21BB75C849A7F77A5EF54304F09406AF989DB312DB34DD028BB0
                                  Function 00DDA070 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentVariableA.KERNEL32(00B3EEA8,01009BD8,0000FFFF), ref: 00DDA086
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DDA0B3
                                  • lstrlenA.KERNEL32(01009BD8), ref: 00DDA0C0
                                  • lstrcpy.KERNEL32(00000000,01009BD8), ref: 00DDA0EA
                                  • lstrlenA.KERNEL32(00E0520C), ref: 00DDA0F5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DDA112
                                  • lstrcatA.KERNEL32(00000000,00E0520C), ref: 00DDA11E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DDA144
                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 00DDA14F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DDA174
                                  • SetEnvironmentVariableA.KERNEL32(00B3EEA8,00000000), ref: 00DDA18F
                                  • LoadLibraryA.KERNEL32(00B42548), ref: 00DDA1A3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                  • String ID:
                                  • API String ID: 2929475105-0
                                  • Opcode ID: ab2dddcd6b197137b91636a2ccdbec23b958b2895f927ce1145d23343f096a78
                                  • Instruction ID: 3baafcf26e99fd9a99c980efda15efe48b66e01262535688e8ca7038d9154f09
                                  • Opcode Fuzzy Hash: ab2dddcd6b197137b91636a2ccdbec23b958b2895f927ce1145d23343f096a78
                                  • Instruction Fuzzy Hash: 9891D231A00B009FD7319FA8D844A7637B6FB54704F48C52BE9458B356EB7ADD818BB2
                                  Function 00DDBCE9 Relevance: 18.2, APIs: 12, Instructions: 249stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DDBD0F
                                  • lstrlenA.KERNEL32(00000000), ref: 00DDBD42
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DDBD6C
                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 00DDBD74
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DDBD9C
                                  • lstrlenA.KERNEL32(00E05094), ref: 00DDBE13
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat
                                  • String ID:
                                  • API String ID: 2500673778-0
                                  • Opcode ID: fa9b2f03074fd5c688bc0a5995411fc9fbe212d5d3327d5d48a3e4d9c4a4b456
                                  • Instruction ID: cf424406dbc4084ba0b44699991f9950682f08e168abf904e9bed1683f8eb5db
                                  • Opcode Fuzzy Hash: fa9b2f03074fd5c688bc0a5995411fc9fbe212d5d3327d5d48a3e4d9c4a4b456
                                  • Instruction Fuzzy Hash: 16A16F70A01204CFCB25DF28C959AAEB7B5EF44318F59806BE4499B366DB36DD42CB70
                                  Function 00DE8240 Relevance: 18.2, APIs: 12, Instructions: 173stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • strtok_s.MSVCRT ref: 00DE8263
                                  • lstrlenA.KERNEL32(00000000), ref: 00DE829C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DE82D3
                                  • lstrlenA.KERNEL32(00000000), ref: 00DE82F0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DE8327
                                  • lstrlenA.KERNEL32(00000000), ref: 00DE8344
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DE837B
                                  • lstrlenA.KERNEL32(00000000), ref: 00DE8398
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DE83C7
                                  • lstrlenA.KERNEL32(00000000), ref: 00DE83E1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DE8410
                                  • strtok_s.MSVCRT ref: 00DE842A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen$strtok_s
                                  • String ID:
                                  • API String ID: 2211830134-0
                                  • Opcode ID: 82b413ee082698f95979cab9b3a60e6957ea39488f6a7199477aa57d60e522a2
                                  • Instruction ID: 3c7db3230b535125a39037a8f168690e6b9a3c17713a25afbf3483e0d1b4eabd
                                  • Opcode Fuzzy Hash: 82b413ee082698f95979cab9b3a60e6957ea39488f6a7199477aa57d60e522a2
                                  • Instruction Fuzzy Hash: 91513C71A006129BDB15EF79D858AAABBE9EF04300F148115EC4ADB385DB34ED51DBF0
                                  Function 00DD6A10 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DD6A3F
                                  • InternetOpenA.WININET(00DFD014,00000001,00000000,00000000,00000000), ref: 00DD6A6C
                                  • StrCmpCA.SHLWAPI(?,00B3EC68), ref: 00DD6A8A
                                  • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00DD6AAA
                                  • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00DD6AC8
                                  • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00DD6AE1
                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00DD6B06
                                  • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00DD6B30
                                  • CloseHandle.KERNEL32(00000000), ref: 00DD6B50
                                  • InternetCloseHandle.WININET(00000000), ref: 00DD6B57
                                  • InternetCloseHandle.WININET(?), ref: 00DD6B61
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                                  • String ID:
                                  • API String ID: 2500263513-0
                                  • Opcode ID: 54aa9085f729b5c3c148103c6e8e7791a27cffff465fcbd6cd50e33de338ed50
                                  • Instruction ID: 52a57c62a81f3653061fde8d73da24949fdeb042ef5dae19b0e8889e6f160c8f
                                  • Opcode Fuzzy Hash: 54aa9085f729b5c3c148103c6e8e7791a27cffff465fcbd6cd50e33de338ed50
                                  • Instruction Fuzzy Hash: 9B419E71A00219ABDB20DF64DC45FAE77B8EB04704F14846AFA45E7281DB74EE048BB4
                                  Function 00DD79A0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00DD7710: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00DD7745
                                    • Part of subcall function 00DD7710: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 00DD778A
                                    • Part of subcall function 00DD7710: strlen.MSVCRT ref: 00DD77BE
                                    • Part of subcall function 00DD7710: StrStrA.SHLWAPI(?,Password), ref: 00DD77F8
                                    • Part of subcall function 00DD7710: strcpy_s.MSVCRT ref: 00DD7821
                                    • Part of subcall function 00DD7710: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DD782C
                                    • Part of subcall function 00DD7710: HeapFree.KERNEL32(00000000), ref: 00DD7833
                                    • Part of subcall function 00DD7710: strlen.MSVCRT ref: 00DD7840
                                  • lstrcatA.KERNEL32(00000000,00E05094), ref: 00DD79D0
                                  • lstrcatA.KERNEL32(00000000,?), ref: 00DD79FD
                                  • lstrcatA.KERNEL32(00000000, : ), ref: 00DD7A0F
                                  • lstrcatA.KERNEL32(00000000,?), ref: 00DD7A30
                                  • wsprintfA.USER32 ref: 00DD7A50
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DD7A79
                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 00DD7A87
                                  • lstrcatA.KERNEL32(00000000,00E05094), ref: 00DD7AA0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Heapstrlen$EnumFreeOpenProcessValuelstrcpystrcpy_swsprintf
                                  • String ID: :
                                  • API String ID: 2460923012-3653984579
                                  • Opcode ID: d4b6b847f11433a399606e52f159684a29025b1ceac733b5846dffb9b6395623
                                  • Instruction ID: a62a89b9fe5adcc75ddae5f51a281425777415e37a120b447c3c14e50d2996dd
                                  • Opcode Fuzzy Hash: d4b6b847f11433a399606e52f159684a29025b1ceac733b5846dffb9b6395623
                                  • Instruction Fuzzy Hash: 2D319372A04214EFCB21DB68D8449AFB7B9FB84304F14555AF58E93345EB35AE41CBB0
                                  Function 00DE80E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 112stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • strtok_s.MSVCRT ref: 00DE8105
                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,00DF093B), ref: 00DE814B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DE817A
                                  • StrCmpCA.SHLWAPI(00000000,00E051FC,?,?,?,?,?,00DF093B), ref: 00DE8192
                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,00DF093B), ref: 00DE81D0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DE81FF
                                  • strtok_s.MSVCRT ref: 00DE820F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlenstrtok_s
                                  • String ID: fplugins
                                  • API String ID: 3280532728-38756186
                                  • Opcode ID: 3e364b5607349d8f7296cdab937e722a8c45a34d394e422099515f708a512f56
                                  • Instruction ID: de2e12d996f04771ae065e3dd68f9c085fdaf05ed21e05a73dedbde740937f54
                                  • Opcode Fuzzy Hash: 3e364b5607349d8f7296cdab937e722a8c45a34d394e422099515f708a512f56
                                  • Instruction Fuzzy Hash: 8C418C71A002469BCB21EFB9D948BAABBB4EF44700F15811DE89DD7244EB34D941DBA0
                                  Function 00DD9E40 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 182memorystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memcmp.MSVCRT(?,v20,00000003), ref: 00DD9E64
                                  • memcmp.MSVCRT(?,v10,00000003), ref: 00DD9EA2
                                  • memset.MSVCRT ref: 00DD9ECF
                                  • LocalAlloc.KERNEL32(00000040), ref: 00DD9F07
                                    • Part of subcall function 00DF7210: lstrcpy.KERNEL32(00000000,ERROR), ref: 00DF722E
                                  • lstrcpy.KERNEL32(00000000,00E05208), ref: 00DDA012
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpymemcmp$AllocLocalmemset
                                  • String ID: @$v10$v20
                                  • API String ID: 3420379846-278772428
                                  • Opcode ID: d4680776d8f7d4a83e1f55b84016764618c7b8f1335a881249cbc67cc7645c6e
                                  • Instruction ID: 3d41937b56cc9912ee6019aaa00a567fc45f3640baaf8812016288fca0507fbc
                                  • Opcode Fuzzy Hash: d4680776d8f7d4a83e1f55b84016764618c7b8f1335a881249cbc67cc7645c6e
                                  • Instruction Fuzzy Hash: D3517E72A40209ABDB10EFA4CC55BAEB7A4EF14314F154026F949EB352DA71EE458BF0
                                  Function 00DD1000 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DD1015
                                  • HeapAlloc.KERNEL32(00000000), ref: 00DD101C
                                  • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00DD1039
                                  • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00DD1053
                                  • RegCloseKey.ADVAPI32(?), ref: 00DD105D
                                  Strings
                                  • SOFTWARE\monero-project\monero-core, xrefs: 00DD102F
                                  • wallet_path, xrefs: 00DD104D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocCloseOpenProcessQueryValue
                                  • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                  • API String ID: 3466090806-4244082812
                                  • Opcode ID: 824aa1ad7fe93935d61f5340b55d5bd77570618758b2f88d30182fe4173ddc70
                                  • Instruction ID: afdc456fade1d1cff983a3a01abd690ba7315f7e9b586b4176f0a848933257a0
                                  • Opcode Fuzzy Hash: 824aa1ad7fe93935d61f5340b55d5bd77570618758b2f88d30182fe4173ddc70
                                  • Instruction Fuzzy Hash: 71F09075A40309BFD720ABA09C4DFBB7B3CEB04715F104055FE48E6285D6B55A4487A0
                                  Function 00DF4760 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00DF4779
                                  • Process32First.KERNEL32(00000000,00000128), ref: 00DF4789
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 00DF479B
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DF47BC
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00DF47CB
                                  • CloseHandle.KERNEL32(00000000), ref: 00DF47D2
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 00DF47E0
                                  • CloseHandle.KERNEL32(00000000), ref: 00DF47EB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 3836391474-0
                                  • Opcode ID: 1bb46e048c5aed60184b709fe897cf5bcdeeda87d46cfc552ac6a4a7c5d2e6b8
                                  • Instruction ID: 0fc685a6ff744159ebdacbf945a013c257815c957858520c520727163cc97d84
                                  • Opcode Fuzzy Hash: 1bb46e048c5aed60184b709fe897cf5bcdeeda87d46cfc552ac6a4a7c5d2e6b8
                                  • Instruction Fuzzy Hash: 9A01D231A012186FE732AB309C88FFB777CEB08741F048195FA4991085EB798D908BA0
                                  Function 00DD7130 Relevance: 10.6, APIs: 7, Instructions: 141memorylibraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(?), ref: 00DD717E
                                  • GetProcessHeap.KERNEL32(00000008,00000010), ref: 00DD71B9
                                  • HeapAlloc.KERNEL32(00000000), ref: 00DD71C0
                                  • memcpy.MSVCRT(00000000,?), ref: 00DD71ED
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00DD7203
                                  • HeapFree.KERNEL32(00000000), ref: 00DD720A
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00DD7269
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$Process$AddressAllocFreeLibraryLoadProcmemcpy
                                  • String ID:
                                  • API String ID: 1745114167-0
                                  • Opcode ID: 7036b71a34fc243257ba998dc7e718e1d8b56c7492b6c5e339b8debf1eaf8c68
                                  • Instruction ID: bfa675757ba4f91a234ae4b77ad4bd0240c9b1442246016c220250d6779f3a3c
                                  • Opcode Fuzzy Hash: 7036b71a34fc243257ba998dc7e718e1d8b56c7492b6c5e339b8debf1eaf8c68
                                  • Instruction Fuzzy Hash: 12415D71B047459BEB20CFA9D884BAAB7F8FB84315F1845AAEC5DC7305E735E9008B64
                                  Function 00DD9CD0 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 123memorystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000), ref: 00DD9D08
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00DD9D3A
                                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00DD9D63
                                  • memcmp.MSVCRT(?,DPAPI,00000005), ref: 00DD9D9C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocLocallstrcpymemcmp
                                  • String ID: $"encrypted_key":"$DPAPI
                                  • API String ID: 4154055062-738592651
                                  • Opcode ID: 4eb60ad60c39b58e801d6c7246ace078c8b53eb515d3b303c93e381ae62d0e82
                                  • Instruction ID: 78b61f4b768fd0f3f9861f1fd3c217315562b75e3e54b21e442b6fd258f965e7
                                  • Opcode Fuzzy Hash: 4eb60ad60c39b58e801d6c7246ace078c8b53eb515d3b303c93e381ae62d0e82
                                  • Instruction Fuzzy Hash: DC41A231A002099BDB10EFA8CCA16AFB7B5EF54300F094167F994A7352DA31EE05CBB0
                                  Function 00DE7F60 Relevance: 10.6, APIs: 7, Instructions: 118stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • strtok_s.MSVCRT ref: 00DE7F84
                                  • lstrlenA.KERNEL32(00000000), ref: 00DE7FB1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00DE7FE0
                                  • strtok_s.MSVCRT ref: 00DE7FF1
                                  • StrCmpCA.SHLWAPI(00000000,00E051FC), ref: 00DE8025
                                  • StrCmpCA.SHLWAPI(00000000,00E051FC), ref: 00DE8053
                                  • StrCmpCA.SHLWAPI(00000000,00E051FC), ref: 00DE8087
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: strtok_s$lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 348468850-0
                                  • Opcode ID: f7a1f01b6f77e4c69a1d17b4b258c408b586d168cbb081744a89504137e7c5c7
                                  • Instruction ID: b7de60cfc62baa40b438c18e5c31e176aea3fe44ab2542ddc0daf4d84f4ec272
                                  • Opcode Fuzzy Hash: f7a1f01b6f77e4c69a1d17b4b258c408b586d168cbb081744a89504137e7c5c7
                                  • Instruction Fuzzy Hash: D441E370A0460ADFCB20EF19D480EAE77B4FF44300F114089E809AB355EB31EA66CFA1
                                  Function 00DE7DC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00DE7DD8
                                    • Part of subcall function 00DFA1F0: std::exception::exception.LIBCMT ref: 00DFA205
                                    • Part of subcall function 00DFA1F0: __CxxThrowException@8.LIBCMT ref: 00DFA21A
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00DE7DF6
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00DE7E11
                                  • memcpy.MSVCRT(?,?,?,00000000,?,?,00DE7CFA,00000000,?,?,00000000,?,00DD91B6,?), ref: 00DE7E74
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_$Exception@8Throwmemcpystd::exception::exception
                                  • String ID: invalid string position$string too long
                                  • API String ID: 702443124-4289949731
                                  • Opcode ID: 7bd605bd5a383791b48166e43466ae2b8471c1eb69cc389513dd40d3e2789c3e
                                  • Instruction ID: d0eb2460c8658e707e9b9ff00bf1fd7b667f43cae4d6aca189889b48570e8082
                                  • Opcode Fuzzy Hash: 7bd605bd5a383791b48166e43466ae2b8471c1eb69cc389513dd40d3e2789c3e
                                  • Instruction Fuzzy Hash: 2D21D2323047818BD764EE6DD880A2AB7E5EF91B10F244AAEF4968B281D770DC4187B1
                                  Function 00DD9AE0 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,00DD12EE), ref: 00DD9AFA
                                  • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00DD12EE), ref: 00DD9B10
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,?,00DD12EE), ref: 00DD9B27
                                  • ReadFile.KERNEL32(00000000,00000000,?,00DD12EE,00000000,?,?,?,00DD12EE), ref: 00DD9B40
                                  • LocalFree.KERNEL32(?,?,?,?,00DD12EE), ref: 00DD9B60
                                  • CloseHandle.KERNEL32(00000000,?,?,?,00DD12EE), ref: 00DD9B67
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                  • String ID:
                                  • API String ID: 2311089104-0
                                  • Opcode ID: d55227a90313a31c22b8707fca4148deeab9113d6b26a282644258595ae54916
                                  • Instruction ID: 549e83b0480ccc2264e390d5971fd30be595e73c690dc8f8406298c84e061313
                                  • Opcode Fuzzy Hash: d55227a90313a31c22b8707fca4148deeab9113d6b26a282644258595ae54916
                                  • Instruction Fuzzy Hash: 5C115E71600209AFE721DFA4ECD4ABBB36CEB04704F16415BF9049B280EB36ED008B74
                                  Function 00DD89B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00DD89C6
                                    • Part of subcall function 00DFA1F0: std::exception::exception.LIBCMT ref: 00DFA205
                                    • Part of subcall function 00DFA1F0: __CxxThrowException@8.LIBCMT ref: 00DFA21A
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00DD89FD
                                    • Part of subcall function 00DFA1A3: std::exception::exception.LIBCMT ref: 00DFA1B8
                                    • Part of subcall function 00DFA1A3: __CxxThrowException@8.LIBCMT ref: 00DFA1CD
                                  • memcpy.MSVCRT(?,00000000,?,00000000,?,?,00DD8800,?,00000000,00DD77D7), ref: 00DD8A5B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception$memcpy
                                  • String ID: invalid string position$string too long
                                  • API String ID: 2202983795-4289949731
                                  • Opcode ID: ed7aaa94ced57e086d9a84428448dc553735bf42381193d6d990bc8248407a2e
                                  • Instruction ID: 76c137b5a9785b2096803a15aa4969f07442cfc79246f50b95c0c2a9ee57af7c
                                  • Opcode Fuzzy Hash: ed7aaa94ced57e086d9a84428448dc553735bf42381193d6d990bc8248407a2e
                                  • Instruction Fuzzy Hash: A021D3723006508BC7229A6CE840A6AF7E9EBA1761B15093FF192CB381DB71DC41D7F5
                                  Function 00DF1B00 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00DF1E28), ref: 00DF1B52
                                    • Part of subcall function 00DF1800: lstrcpy.KERNEL32(00000000,00DFD014), ref: 00DF182F
                                    • Part of subcall function 00DF1800: lstrlenA.KERNEL32(00B2FAE0,00000000,00000000,?,?,00DF1B61), ref: 00DF1840
                                    • Part of subcall function 00DF1800: lstrcpy.KERNEL32(00000000,00000000), ref: 00DF1867
                                    • Part of subcall function 00DF1800: lstrcatA.KERNEL32(00000000,00000000), ref: 00DF1872
                                    • Part of subcall function 00DF1800: lstrcpy.KERNEL32(00000000,00000000), ref: 00DF18A1
                                    • Part of subcall function 00DF1800: lstrlenA.KERNEL32(00E05560,?,?,00DF1B61), ref: 00DF18B3
                                    • Part of subcall function 00DF1800: lstrcpy.KERNEL32(00000000,00000000), ref: 00DF18D4
                                    • Part of subcall function 00DF1800: lstrcatA.KERNEL32(00000000,00E05560,?,?,00DF1B61), ref: 00DF18E0
                                    • Part of subcall function 00DF1800: lstrcpy.KERNEL32(00000000,00000000), ref: 00DF190F
                                  • sscanf.NTDLL ref: 00DF1B7A
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00DF1B96
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00DF1BA6
                                  • ExitProcess.KERNEL32 ref: 00DF1BC3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                                  • String ID:
                                  • API String ID: 3040284667-0
                                  • Opcode ID: 443fe50b8955a96dd34915b5e12694bcf11457c0e5d7ca78ad94df67c850fd1e
                                  • Instruction ID: 2e71770145ace2f4a984981a8a864f79640533b7765cb0680de810f4d54ee7f5
                                  • Opcode Fuzzy Hash: 443fe50b8955a96dd34915b5e12694bcf11457c0e5d7ca78ad94df67c850fd1e
                                  • Instruction Fuzzy Hash: 6921DEB5518305EFC350EF69D88486BBBF8EEC8214F408A1EF699C3214E73596048BA2
                                  Function 00DD6E30 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memcpy.MSVCRT(?,?,00000040), ref: 00DD6E40
                                  • memcpy.MSVCRT(?,00005A4D,000000F8), ref: 00DD6E7C
                                  • GetProcessHeap.KERNEL32(00000008,?), ref: 00DD6EB4
                                  • HeapAlloc.KERNEL32(00000000), ref: 00DD6EBB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heapmemcpy$AllocProcess
                                  • String ID: @
                                  • API String ID: 1643994569-2766056989
                                  • Opcode ID: 18523bcc8f498ed66590986e842d5491ccb4cccd59a22b833bf5aae6b5cef67b
                                  • Instruction ID: ed1fa3208ddff6b30054fa2af010b2acc46cb848396ff2b5e76061cc4e24da36
                                  • Opcode Fuzzy Hash: 18523bcc8f498ed66590986e842d5491ccb4cccd59a22b833bf5aae6b5cef67b
                                  • Instruction Fuzzy Hash: 50116170640B119BDB218B61DC84BB677E4EF41705F08843AF946CB784FB74D940CBA1
                                  Function 00DE7CA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00DE7D14
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00DE7D2F
                                  • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,00DD91B6,?,?,?,?,00000000,?,00001000,?), ref: 00DE7D84
                                    • Part of subcall function 00DE7DC0: std::_Xinvalid_argument.LIBCPMT ref: 00DE7DD8
                                    • Part of subcall function 00DE7DC0: std::_Xinvalid_argument.LIBCPMT ref: 00DE7DF6
                                    • Part of subcall function 00DE7DC0: std::_Xinvalid_argument.LIBCPMT ref: 00DE7E11
                                    • Part of subcall function 00DE7DC0: memcpy.MSVCRT(?,?,?,00000000,?,?,00DE7CFA,00000000,?,?,00000000,?,00DD91B6,?), ref: 00DE7E74
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_$memcpy
                                  • String ID: string too long
                                  • API String ID: 2304785028-2556327735
                                  • Opcode ID: 24ecfab76af7349ee0ff4a5af17f8aec43a24f8f029ffd5aec89c6a617fe3448
                                  • Instruction ID: 821e0636e08930187509dd9069bed2121ab69c0858a0e1b2a4f8127da9f65719
                                  • Opcode Fuzzy Hash: 24ecfab76af7349ee0ff4a5af17f8aec43a24f8f029ffd5aec89c6a617fe3448
                                  • Instruction Fuzzy Hash: 0D310672308690CBD760EE6DEC80A7AF7E9EF91760B244A2AF1428B641C7719C4187B4
                                  Function 00DD8880 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00DD88B3
                                    • Part of subcall function 00DFA1A3: std::exception::exception.LIBCMT ref: 00DFA1B8
                                    • Part of subcall function 00DFA1A3: __CxxThrowException@8.LIBCMT ref: 00DFA1CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
                                  • String ID: vector<T> too long$yxxx$yxxx
                                  • API String ID: 2884196479-1517697755
                                  • Opcode ID: a3c19d8762247f9e257303a0478ccc973033cbd8d6c85ac02e0a67a2d6b40b32
                                  • Instruction ID: 2f6ca9fbcacceecb1810d8feebecd9897c0d8d2bc267a35c24bc5b17670851dc
                                  • Opcode Fuzzy Hash: a3c19d8762247f9e257303a0478ccc973033cbd8d6c85ac02e0a67a2d6b40b32
                                  • Instruction Fuzzy Hash: 67318BB5E005159FCB04DF58C89166DB7B6EB88310F14C269E915AF345DB30AD01CBE1
                                  Function 00DD8740 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00DD8767
                                    • Part of subcall function 00DFA1A3: std::exception::exception.LIBCMT ref: 00DFA1B8
                                    • Part of subcall function 00DFA1A3: __CxxThrowException@8.LIBCMT ref: 00DFA1CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
                                  • String ID: vector<T> too long$yxxx$yxxx
                                  • API String ID: 2884196479-1517697755
                                  • Opcode ID: b7c97408ad5b41a4e63f3efdf8009835ac625083bc02d4664fabd2df77fbffcb
                                  • Instruction ID: 78aff5b645960ccc5fa0eb5628663c096404dbb73e0ac8ed75938afb76b13bb5
                                  • Opcode Fuzzy Hash: b7c97408ad5b41a4e63f3efdf8009835ac625083bc02d4664fabd2df77fbffcb
                                  • Instruction Fuzzy Hash: FFF09027F100212B8355A53E9D8509EA94796E439033ED722E94AEF389EC30EC82A1F0
                                  Function 00DD87B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00DD880C
                                  • memcpy.MSVCRT(?,?,00000000,00000000,00DD77D7), ref: 00DD8852
                                    • Part of subcall function 00DD89B0: std::_Xinvalid_argument.LIBCPMT ref: 00DD89C6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_$memcpy
                                  • String ID: string too long
                                  • API String ID: 2304785028-2556327735
                                  • Opcode ID: d10b8f9834eda2446f9f12c51ebb7db7318b093825555b2c084b5eb30fc17282
                                  • Instruction ID: c550f509f8dbc1685491a0960119bddf509867d8d9bd6e7d37eaf377c28deb58
                                  • Opcode Fuzzy Hash: d10b8f9834eda2446f9f12c51ebb7db7318b093825555b2c084b5eb30fc17282
                                  • Instruction Fuzzy Hash: 912183717007509BDB378E6C9880A2AB7EAEF85B01B64091BF492C7781DFA1DC44B7B5
                                  Function 00DD8A90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00DD8AA5
                                    • Part of subcall function 00DFA1A3: std::exception::exception.LIBCMT ref: 00DFA1B8
                                    • Part of subcall function 00DFA1A3: __CxxThrowException@8.LIBCMT ref: 00DFA1CD
                                  • memcpy.MSVCRT(?,?,?), ref: 00DD8AEF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Exception@8ThrowXinvalid_argumentmemcpystd::_std::exception::exception
                                  • String ID: string too long
                                  • API String ID: 2475949303-2556327735
                                  • Opcode ID: bc636abccf76eb47364ddc50a30c638748d0541805a9040ba283416ff36e22f0
                                  • Instruction ID: dfb1988a5d53f7a664bd6da8546abf11da2dc5a4b347431330efa375a6f1a0e3
                                  • Opcode Fuzzy Hash: bc636abccf76eb47364ddc50a30c638748d0541805a9040ba283416ff36e22f0
                                  • Instruction Fuzzy Hash: D22107727047049BE721CE6DDC40A6EB7EAEBD5320F198A1BE895C3380DF70994597B0
                                  Function 00DD8BB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00DD8BBF
                                    • Part of subcall function 00DFA1F0: std::exception::exception.LIBCMT ref: 00DFA205
                                    • Part of subcall function 00DFA1F0: __CxxThrowException@8.LIBCMT ref: 00DFA21A
                                  • memmove.MSVCRT(?,?,?,?,?,00DD89E2,00000000,?,?,00DD8800,?,00000000,00DD77D7), ref: 00DD8BF5
                                  Strings
                                  • invalid string position, xrefs: 00DD8BBA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Exception@8ThrowXinvalid_argumentmemmovestd::_std::exception::exception
                                  • String ID: invalid string position
                                  • API String ID: 655285616-1799206989
                                  • Opcode ID: 0eb8c7890f877ef61aadb973b5e8b04a6d2eafe5cf9f8253ad4e654b9c5a8941
                                  • Instruction ID: f214d1798cab486fb1fe7f53a6e50ab574967b1c50b5eb5137c30eafb6aace0a
                                  • Opcode Fuzzy Hash: 0eb8c7890f877ef61aadb973b5e8b04a6d2eafe5cf9f8253ad4e654b9c5a8941
                                  • Instruction Fuzzy Hash: 6601A7B13047409BD3268E7CEC9492BB7E6DBC4704B29491ED092C7749DB70DC819770
                                  Function 00DF1550 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000), ref: 00DF1581
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DF15B9
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DF15F1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DF1629
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: 8a559ace942127cf0ac3562c7d6bb6f1d07b935e524eddb74702f1ae5054ff37
                                  • Instruction ID: 889a78c86591a4c1cbc27186e9314e7d295c396936bad99816d334c825880fd4
                                  • Opcode Fuzzy Hash: 8a559ace942127cf0ac3562c7d6bb6f1d07b935e524eddb74702f1ae5054ff37
                                  • Instruction Fuzzy Hash: 1821EC78601B069BD728DF2AC454A27B7F5EF54700B098A1DA88AC7B41DB34E801CBB0
                                  Function 00DD1410 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00DD1510: lstrcpy.KERNEL32(00000000), ref: 00DD152D
                                    • Part of subcall function 00DD1510: lstrcpy.KERNEL32(00000000,?), ref: 00DD154F
                                    • Part of subcall function 00DD1510: lstrcpy.KERNEL32(00000000,?), ref: 00DD1571
                                    • Part of subcall function 00DD1510: lstrcpy.KERNEL32(00000000,?), ref: 00DD1593
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DD1437
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DD1459
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DD147B
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DD14DF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: 6a4c71ba3f1238c9eeff8d8c6f7d3a4a7fc999c387a0bcfecaa9506aa0258c9d
                                  • Instruction ID: 0ab4a3e2ed7a763edcec1bedf374f0bc75a8db5287586971b1f6c67af44dbfc6
                                  • Opcode Fuzzy Hash: 6a4c71ba3f1238c9eeff8d8c6f7d3a4a7fc999c387a0bcfecaa9506aa0258c9d
                                  • Instruction Fuzzy Hash: C531CA78A01B42AFD729DF7AD544956BBF5FF48704704492EA996C3B10DB34F811CBA0
                                  Function 00DD6E32 Relevance: 5.1, APIs: 4, Instructions: 69memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memcpy.MSVCRT(?,?,00000040), ref: 00DD6E40
                                  • memcpy.MSVCRT(?,00005A4D,000000F8), ref: 00DD6E7C
                                  • GetProcessHeap.KERNEL32(00000008,?), ref: 00DD6EB4
                                  • HeapAlloc.KERNEL32(00000000), ref: 00DD6EBB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heapmemcpy$AllocProcess
                                  • String ID:
                                  • API String ID: 1643994569-0
                                  • Opcode ID: 22136f78fe6ea4b578e9bd1c8c524cb20bc62df9d8a59337c6f4add1b2ee84b4
                                  • Instruction ID: 9240471a588c590206c4d13453a7852b39c844b1723f84ee87321787544d7624
                                  • Opcode Fuzzy Hash: 22136f78fe6ea4b578e9bd1c8c524cb20bc62df9d8a59337c6f4add1b2ee84b4
                                  • Instruction Fuzzy Hash: 4E218E70640A119BDB208B34DC84BB673E8EB40704F488469F986CB784FB78E941CBA0
                                  Function 00DD1510 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000), ref: 00DD152D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DD154F
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DD1571
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00DD1593
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2621522699.0000000000DD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                  • Associated: 00000000.00000002.2621508055.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621550250.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621566443.0000000000E07000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E1B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E63000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000E9D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EC9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000ED7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000EF2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F2D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000000F50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2621579553.0000000001008000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2622378710.000000000101A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dd0000_daw21.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: e7d98f7ccddbebe5702c2a249556f11df4f53ca43bd74b2fb871a9564685be1d
                                  • Instruction ID: b4e130e414f35b46e0a1c59ebd927a53e7d52daf0d334a122de4e4cc97a8776c
                                  • Opcode Fuzzy Hash: e7d98f7ccddbebe5702c2a249556f11df4f53ca43bd74b2fb871a9564685be1d
                                  • Instruction Fuzzy Hash: DD11E278A01742ABDB249F75E458927B7F9FF49701704452EA497C7B50DB38E901CB70