Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe

Overview

General Information

Sample name:RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe
Analysis ID:1428254
MD5:a6a52958bec5f9bca6d3dd49072b481b
SHA1:c706c226c248dd1666e04ed404eab305e76228f1
SHA256:2dcedda2d433140e29c0e0efa141df17c0398b820922c7e39f4ab503ef1f1855
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe (PID: 5176 cmdline: "C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe" MD5: A6A52958BEC5F9BCA6D3DD49072B481B)
    • conhost.exe (PID: 4780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 6880 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.temikan.com.tr", "Username": "merve@temikan.com.tr", "Password": "temikan63"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3321463370.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000003.00000002.3321463370.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.3322261762.0000000002DCC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.3322261762.0000000002DD4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.RegAsm.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              3.2.RegAsm.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                3.2.RegAsm.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x3351b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3358d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33617:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x336a9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x33713:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33785:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x3381b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x338ab:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.bccad0.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.bccad0.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 7 entries

                    Sigma Signatures

                    Networking

                    barindex
                    Sigma detected: RegAsm connects to smtp port
                    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 31.192.214.172, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 6880, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49700

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeAvira: detected
                    Found malware configuration
                    Source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.bccad0.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.temikan.com.tr", "Username": "merve@temikan.com.tr", "Password": "temikan63"}
                    Multi AV Scanner detection for submitted file
                    Source: RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeReversingLabs: Detection: 28%
                    Machine Learning detection for sample
                    Source: RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeJoe Sandbox ML: detected
                    Source: RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49699 version: TLS 1.2
                    Source: RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: 1_2_00BB9336 FindFirstFileExW,1_2_00BB9336
                    Source: global trafficTCP traffic: 192.168.2.6:49700 -> 31.192.214.172:587
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewASN Name: NETINTERNETNetinternetBilisimTeknolojileriASTR NETINTERNETNetinternetBilisimTeknolojileriASTR
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.6:49700 -> 31.192.214.172:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownDNS traffic detected: queries for: api.ipify.org
                    Source: RegAsm.exe, 00000003.00000002.3324031872.0000000006090000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3321882179.0000000001195000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3324031872.000000000611C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3322261762.0000000002DD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                    Source: RegAsm.exe, 00000003.00000002.3324031872.0000000006090000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3321882179.0000000001195000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3324031872.000000000611C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3322261762.0000000002DD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                    Source: RegAsm.exe, 00000003.00000002.3324031872.0000000006090000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3321882179.0000000001195000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3324031872.000000000611C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3322261762.0000000002DD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                    Source: RegAsm.exe, 00000003.00000002.3322261762.0000000002DCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.temikan.com.tr
                    Source: RegAsm.exe, 00000003.00000002.3324031872.0000000006090000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3322028135.0000000001234000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3322261762.0000000002DD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0B
                    Source: RegAsm.exe, 00000003.00000002.3324031872.0000000006090000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3322028135.0000000001234000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3322261762.0000000002DD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                    Source: RegAsm.exe, 00000003.00000002.3322261762.0000000002D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RegAsm.exe, 00000003.00000002.3322261762.0000000002DCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://temikan.com.tr
                    Source: RegAsm.exe, 00000003.00000002.3324031872.0000000006090000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3322261762.0000000002DD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: RegAsm.exe, 00000003.00000002.3324031872.0000000006090000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3322261762.0000000002DD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe, RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe, 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000003.00000002.3321463370.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe, RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe, 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000003.00000002.3322261762.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3321463370.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: RegAsm.exe, 00000003.00000002.3322261762.0000000002D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: RegAsm.exe, 00000003.00000002.3322261762.0000000002D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49699 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.bccad0.1.raw.unpack, cPKWk.cs.Net Code: KidsR2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.bccad0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.bccad0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.ba0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe
                    Source: initial sampleStatic PE information: Filename: RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: 1_2_00BBB99B1_2_00BBB99B
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: 1_2_00BAF1C01_2_00BAF1C0
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: 1_2_00BAB9221_2_00BAB922
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: 1_2_00BB49021_2_00BB4902
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: 1_2_00BBD2001_2_00BBD200
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: 1_2_00BB2DD21_2_00BB2DD2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02D14A983_2_02D14A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02D1A9583_2_02D1A958
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02D13E803_2_02D13E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02D141C83_2_02D141C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02D1F9983_2_02D1F998
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_05AB5D383_2_05AB5D38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_05AB91E83_2_05AB91E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_05ABA1303_2_05ABA130
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_05ABE0D03_2_05ABE0D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_05AB45A83_2_05AB45A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_05AB35803_2_05AB3580
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_05AB3CB03_2_05AB3CB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_05AB56583_2_05AB5658
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_05AB03383_2_05AB0338
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_05ABC3503_2_05ABC350
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: String function: 00BA69C0 appears 48 times
                    Source: RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeBinary or memory string: OriginalFilename vs RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe
                    Source: RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe, 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename360913dc-764e-4d41-ba62-f390e3d67fb7.exe4 vs RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe
                    Source: RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.bccad0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.bccad0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.ba0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.bccad0.1.raw.unpack, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.bccad0.1.raw.unpack, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.bccad0.1.raw.unpack, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.bccad0.1.raw.unpack, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                    Source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.bccad0.1.raw.unpack, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.bccad0.1.raw.unpack, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.bccad0.1.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.bccad0.1.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@4/1@2/2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4780:120:WilError_03
                    Source: RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeReversingLabs: Detection: 28%
                    Source: unknownProcess created: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe "C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe"
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: 1_2_00BA6189 push ecx; ret 1_2_00BA619C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02D10C95 push edi; ret 3_2_02D10CC2
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeFile created: \rfq img_quotation po 202400969 - hessen tech_pdf.exe
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeFile created: \rfq img_quotation po 202400969 - hessen tech_pdf.exe
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeFile created: \rfq img_quotation po 202400969 - hessen tech_pdf.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 13A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2D50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2C70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1832Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 6525Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -23058430092136925s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2832Thread sleep count: 1832 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -99875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2832Thread sleep count: 6525 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -99766s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -99547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -99437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -99328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -99212s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -99094s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -98984s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -98875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -98766s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -98656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -98547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -98437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -98328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -98218s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -98109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -98000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -97890s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -97781s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -97672s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -97562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -97453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -97344s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -97234s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -97121s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -97000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -96891s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -96766s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -96656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -96547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -96437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -96328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -96217s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -96109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -96000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -95890s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -95781s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -95672s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -95562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2884Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: 1_2_00BB9336 FindFirstFileExW,1_2_00BB9336
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99212Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97121Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96217Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: RegAsm.exe, 00000003.00000002.3324031872.0000000006090000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: 1_2_00BACDCF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00BACDCF
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: 1_2_00BBA4B1 mov eax, dword ptr fs:[00000030h]1_2_00BBA4B1
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: 1_2_00BB0694 mov ecx, dword ptr fs:[00000030h]1_2_00BB0694
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: 1_2_00BBCAB0 GetProcessHeap,1_2_00BBCAB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: 1_2_00BA68F4 SetUnhandledExceptionFilter,1_2_00BA68F4
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: 1_2_00BA6490 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00BA6490
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: 1_2_00BACDCF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00BACDCF
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: 1_2_00BA6798 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00BA6798
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Contains functionality to inject code into remote processes
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: 1_2_00C0765D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,1_2_00C0765D
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: CDB008Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: 1_2_00BA627C cpuid 1_2_00BA627C
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,1_2_00BBC84E
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: EnumSystemLocalesW,1_2_00BBC18C
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: EnumSystemLocalesW,1_2_00BBC1D7
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,1_2_00BBC2FD
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: EnumSystemLocalesW,1_2_00BBC272
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: GetLocaleInfoW,1_2_00BB547B
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: GetLocaleInfoW,1_2_00BBC550
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,1_2_00BBBEEA
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_00BBC679
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: GetLocaleInfoW,1_2_00BBC77F
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: EnumSystemLocalesW,1_2_00BB4F55
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeCode function: 1_2_00BA6692 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_00BA6692
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.bccad0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.bccad0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.ba0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3321463370.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3322261762.0000000002DCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3322261762.0000000002DD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3322261762.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe PID: 5176, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6880, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.bccad0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.bccad0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.ba0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3321463370.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3322261762.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe PID: 5176, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6880, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.bccad0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.bccad0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe.ba0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3321463370.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3322261762.0000000002DCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3322261762.0000000002DD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3322261762.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe PID: 5176, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6880, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts411
                    Process Injection                    		11
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		2
                    File and Directory Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		45
                    System Information Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    DLL Side-Loading                    		NTDS131
                    Security Software Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script141
                    Virtualization/Sandbox Evasion                    		LSA Secrets1
                    Process Discovery                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts411
                    Process Injection                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe29%ReversingLabsWin32.Trojan.Generic
                    RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe100%AviraHEUR/AGEN.1352999
                    RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://r3.o.lencr.org00%URL Reputationsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://cps.root-x1.letsencrypt.org00%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ipify.org
                    		104.26.13.205
                    		truefalse
                      		high
                      temikan.com.tr
                      		31.192.214.172
                      		truetrue
                        		unknown
                        mail.temikan.com.tr
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://r3.o.lencr.org0RegAsm.exe, 00000003.00000002.3324031872.0000000006090000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3322028135.0000000001234000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3322261762.0000000002DD4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://mail.temikan.com.trRegAsm.exe, 00000003.00000002.3322261762.0000000002DCC000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://api.ipify.orgRFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe, RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe, 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000003.00000002.3322261762.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3321463370.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                		high
                                http://r3.i.lencr.org/0BRegAsm.exe, 00000003.00000002.3324031872.0000000006090000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3322028135.0000000001234000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3322261762.0000000002DD4000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://account.dyn.com/RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe, RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe, 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000003.00000002.3321463370.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.ipify.org/tRegAsm.exe, 00000003.00000002.3322261762.0000000002D51000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000003.00000002.3322261762.0000000002D51000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://x1.c.lencr.org/0RegAsm.exe, 00000003.00000002.3324031872.0000000006090000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3322261762.0000000002DD4000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://x1.i.lencr.org/0RegAsm.exe, 00000003.00000002.3324031872.0000000006090000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3322261762.0000000002DD4000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://temikan.com.trRegAsm.exe, 00000003.00000002.3322261762.0000000002DCC000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://cps.root-x1.letsencrypt.org0RegAsm.exe, 00000003.00000002.3324031872.0000000006090000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3321882179.0000000001195000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3324031872.000000000611C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3322261762.0000000002DD4000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          31.192.214.172
                                          		temikan.com.trTurkey
                                          		51559NETINTERNETNetinternetBilisimTeknolojileriASTRtrue
                                          104.26.13.205
                                          		api.ipify.orgUnited States
                                          		13335CLOUDFLARENETUSfalse

                                          General Information

                                          Joe Sandbox version:40.0.0 Tourmaline
                                          Analysis ID:1428254
                                          Start date and time:2024-04-18 18:28:03 +02:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 5m 3s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:6
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe
                                          Detection:MAL
                                          Classification:mal100.spre.troj.spyw.evad.winEXE@4/1@2/2
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 99%
                                          • Number of executed functions: 62
                                          • Number of non-executed functions: 44
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                          • VT rate limit hit for: RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          18:28:51API Interceptor41x Sleep call for process: RegAsm.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          31.192.214.172Sxv09Al7Ah.exeGet hashmaliciousAgentTeslaBrowse
                                            Receipt.lnkGet hashmaliciousAgentTeslaBrowse
                                              rE1ge9sZhd.exeGet hashmaliciousAgentTesla, MailPassViewBrowse
                                                104.26.13.205SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                                • api.ipify.org/
                                                Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                                • api.ipify.org/?format=json
                                                ArenaWarSetup.exeGet hashmaliciousStealitBrowse
                                                • api.ipify.org/?format=json
                                                Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                • api.ipify.org/?format=json
                                                E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                                • api.ipify.org/
                                                E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                                • api.ipify.org/
                                                SecuriteInfo.com.Win64.RATX-gen.31127.4101.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                                • api.ipify.org/

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                api.ipify.orgorder 4500381478001.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.26.13.205
                                                Scan-IMG PO Order CW289170-A CW201.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                • 172.67.74.152
                                                TransactionSummary_910020049836765_110424045239.xlsxGet hashmaliciousAgentTeslaBrowse
                                                • 104.26.13.205
                                                PRODUCT LIST_002673CC1F68.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                • 172.67.74.152
                                                WZM.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                • 104.26.12.205
                                                hesaphareketi_1.SCR.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.26.13.205
                                                DHL 0028374.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.26.12.205
                                                p silp AI240190.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                • 172.67.74.152
                                                Order Details and Specifications.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                • 104.26.12.205
                                                RFQ-16042024-2_2403872952 .pdf.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                • 104.26.13.205

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                CLOUDFLARENETUShttps://huntingtonoakmont-my.sharepoint.com/:b:/g/personal/cmariotti_oakmontcommunities_com/EeUv57weU1BKhs36H3rF_G0BHM4kTzJShI_ZPwFvp1P7-g?e=4UASJ5Get hashmaliciousHTMLPhisherBrowse
                                                • 104.17.25.14
                                                Nexpoint-annual-staff-promotion-and-benefits_KDV-791358.docxGet hashmaliciousUnknownBrowse
                                                • 104.21.63.140
                                                Nexpoint-annual-staff-promotion-and-benefits_KDV-791358.docxGet hashmaliciousUnknownBrowse
                                                • 104.17.25.14
                                                http://t.cm.morganstanley.com/r/?id=h1b92d14,134cc33c,1356be32&p1=esi-doc.one/YWGTytNgAkCXj6A/c451eb59da652ea3e0bb7f8bf62dc775/c451eb59da652ea3e0bb7f8bf62dc775/c451eb59da652ea3e0bb7f8bf62dc775/bXNvbG9yemFub0Bsc2ZjdS5vcmc=&d=DwMGaQGet hashmaliciousHTMLPhisherBrowse
                                                • 104.17.25.14
                                                SecuriteInfo.com.Exploit.ShellCode.69.31966.31539.rtfGet hashmaliciousRemcosBrowse
                                                • 104.21.84.67
                                                https://assets-gbr.mkt.dynamics.com/63445ada-d6fc-ee11-9046-002248c656ac/digitalassets/standaloneforms/4f16ddf0-7afd-ee11-a1fe-000d3ad499faGet hashmaliciousHTMLPhisherBrowse
                                                • 104.17.64.14
                                                http://wechatunsuscribe.secure.force.comGet hashmaliciousUnknownBrowse
                                                • 1.1.1.1
                                                notepad.txtGet hashmaliciousHTMLPhisherBrowse
                                                • 1.1.1.1
                                                https://tracker.club-os.com/campaign/click?msgId=f8ea317d963149a518aa35e03e5541f797badf3c&target=splendidanimations.com%2F%40%2FC2educate/aEFQv26188aEFQv26188aEFQv/anVsaWUubG9uZ2lub0BjMmVkdWNhdGUuY29tGet hashmaliciousHTMLPhisherBrowse
                                                • 104.17.2.184
                                                order 4500381478001.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.26.13.205
                                                NETINTERNETNetinternetBilisimTeknolojileriASTRhttps://t.airgears.org/r/?resource=120958450/4d9ac80/2a1170&e=dYRtX3NhcXBhbXduQUFjYW4kb26DYXK0LWQzJnV0bW9zb3WyY3V9YWNkJnV1bV9uAWRpdZ09ZW1ibWwmd39udW09OUT3MTNwMzQzMUYmd391cj0zJm1pX4U9eW5kZWApbmVlJmNpZD2yYURNNzV0NDgmYnlkPUE2MjBzN&ref_=1wy&ref=98k/&u=4jj4/&eid=xekc6v/DU5MjEnc2VoY29lZT11cmRlZnluZWQ&s=obI3r-q7de3Me3nnN3cpKfiix7CULJmXF7FuunFtjSxGet hashmaliciousUnknownBrowse
                                                • 89.252.171.92
                                                product11221.exeGet hashmaliciousAgentTeslaBrowse
                                                • 159.253.43.92
                                                invoice1337.exeGet hashmaliciousAgentTeslaBrowse
                                                • 159.253.43.92
                                                http://minhaclaro.dtmmkt.com.br/effectivemail/redirecionaclique.aspx?idabordagem=5252932746&idlink=126090168=%0A66&endereco=//mhkyapi%E3%80%82com/temp/___cmljaGFyZEBnbG9iYWx0ZWNobmljYWxyZWFsdHkuY29t___fphpdnwwfuGet hashmaliciousUnknownBrowse
                                                • 89.252.137.195
                                                http://minhaclaro.dtmmkt.com.br/effectivemail/redirecionaclique.aspx?idabordagem=5252932746&idlink=126090168=%0A66&endereco=//astrolojidersleri%E3%80%82net/temp/___cnlhbnNAcHJlc2lkaW8uY29t___qegpdlclfvGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                • 91.227.6.15
                                                UGI9mVa2Gk.exeGet hashmaliciousAgentTeslaBrowse
                                                • 95.173.177.114
                                                hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                                                • 95.173.177.114
                                                hesaphareketi-01.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                • 95.173.177.114
                                                02_94_OR.EXE.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 89.252.138.195
                                                TAVMCtVXa5.exeGet hashmaliciousUnknownBrowse
                                                • 89.252.138.35

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                3b5074b1b5d032e5620f69f9f700ff0eSA162.pdf.download.lnkGet hashmaliciousUnknownBrowse
                                                • 104.26.13.205
                                                https://wechatunsuscribe.secure.force.com/Get hashmaliciousUnknownBrowse
                                                • 104.26.13.205
                                                https://t.airgears.org/r/?resource=120958450/4d9ac80/2a1170&e=dYRtX3NhcXBhbXduQUFjYW4kb26DYXK0LWQzJnV0bW9zb3WyY3V9YWNkJnV1bV9uAWRpdZ09ZW1ibWwmd39udW09OUT3MTNwMzQzMUYmd391cj0zJm1pX4U9eW5kZWApbmVlJmNpZD2yYURNNzV0NDgmYnlkPUE2MjBzN&ref_=1wy&ref=98k/&u=4jj4/&eid=xekc6v/DU5MjEnc2VoY29lZT11cmRlZnluZWQ&s=obI3r-q7de3Me3nnN3cpKfiix7CULJmXF7FuunFtjSxGet hashmaliciousUnknownBrowse
                                                • 104.26.13.205
                                                ueworoejvdvhruthqq3.exeGet hashmaliciousPatchworkBrowse
                                                • 104.26.13.205
                                                ueworoejvdvhruthqq3.exeGet hashmaliciousPatchworkBrowse
                                                • 104.26.13.205
                                                order 4500381478001.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.26.13.205
                                                Scan-IMG PO Order CW289170-A CW201.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.26.13.205
                                                http://Doggygangers.com/YfMv2QsjpCQl845BWSYNfNOQitweyze_Z6lIlrRr43MRjX_HrM/get_download_file_name.phpGet hashmaliciousUnknownBrowse
                                                • 104.26.13.205
                                                _Contrato_E2024A493865_PDF.jsGet hashmaliciousUnknownBrowse
                                                • 104.26.13.205
                                                PRODUCT LIST_002673CC1F68.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.26.13.205

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                \Device\ConDrv

                                                Download File
                                                Process:C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):3
                                                Entropy (8bit):1.584962500721156
                                                Encrypted:false
                                                SSDEEP:3:A:A
                                                MD5:C83BBF39A26190B2D0EC2D3091356053
                                                SHA1:2C29EC19A8EC05D0CAA6527EA271229C0E7A7442
                                                SHA-256:7C468F5E59F2871B946E051445493BBCACE531D597EDBBCC9935E7D02D025114
                                                SHA-512:076C9EBFDD34C47081D70EA7A493B1CF324B3B5AE8286886590167F865D0D2936C8FE31B8C1E4BF7C40425C58F146C4D7B8E49B2EFF991EFB830A0518E041B7F
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview:4..

                                                Static File Info

                                                General

                                                File type:PE32 executable (console) Intel 80386, for MS Windows
                                                Entropy (8bit):7.592956266550325
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe
                                                File size:429'056 bytes
                                                MD5:a6a52958bec5f9bca6d3dd49072b481b
                                                SHA1:c706c226c248dd1666e04ed404eab305e76228f1
                                                SHA256:2dcedda2d433140e29c0e0efa141df17c0398b820922c7e39f4ab503ef1f1855
                                                SHA512:db266982d3029b0ae5086955cdd37256757c2a943fa849634db4629a33f40d49c88ea5574d7752bead60580072c88f582a02e9078de31d00684e957db869997d
                                                SSDEEP:12288:W7/6Tsprci/CRTVXmsQuCiGhtsvo4H3mkiOYfjaneE:Wz62gi/wVmFuKmvLH2Jr+e
                                                TLSH:2194E11575C080B2D933213109F4DAB96E7DF9700AA55A8F67E40F7E8F70382E635AA7
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........OW.h.W.h.W.h...k.[.h...m...h...l.B.h..tl.E.h..tk.C.h...i.R.h.W.i...h..tm...h..wa.V.h..wj.V.h.RichW.h.........PE..L...z.!f...

                                                File Icon

                                                Icon Hash:00928e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x405f2e
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows cui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x6621097A [Thu Apr 18 11:52:26 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:6
                                                OS Version Minor:0
                                                File Version Major:6
                                                File Version Minor:0
                                                Subsystem Version Major:6
                                                Subsystem Version Minor:0
                                                Import Hash:e233f55b2e1564f7081c0ffda9a4bede

                                                Entrypoint Preview

                                                Instruction
                                                call 00007F2200557BC1h
                                                jmp 00007F2200557289h
                                                push ebp
                                                mov ebp, esp
                                                mov eax, dword ptr [ebp+08h]
                                                push esi
                                                mov ecx, dword ptr [eax+3Ch]
                                                add ecx, eax
                                                movzx eax, word ptr [ecx+14h]
                                                lea edx, dword ptr [ecx+18h]
                                                add edx, eax
                                                movzx eax, word ptr [ecx+06h]
                                                imul esi, eax, 28h
                                                add esi, edx
                                                cmp edx, esi
                                                je 00007F220055742Bh
                                                mov ecx, dword ptr [ebp+0Ch]
                                                cmp ecx, dword ptr [edx+0Ch]
                                                jc 00007F220055741Ch
                                                mov eax, dword ptr [edx+08h]
                                                add eax, dword ptr [edx+0Ch]
                                                cmp ecx, eax
                                                jc 00007F220055741Eh
                                                add edx, 28h
                                                cmp edx, esi
                                                jne 00007F22005573FCh
                                                xor eax, eax
                                                pop esi
                                                pop ebp
                                                ret
                                                mov eax, edx
                                                jmp 00007F220055740Bh
                                                push esi
                                                call 00007F2200557E98h
                                                test eax, eax
                                                je 00007F2200557432h
                                                mov eax, dword ptr fs:[00000018h]
                                                mov esi, 004680F0h
                                                mov edx, dword ptr [eax+04h]
                                                jmp 00007F2200557416h
                                                cmp edx, eax
                                                je 00007F2200557422h
                                                xor eax, eax
                                                mov ecx, edx
                                                lock cmpxchg dword ptr [esi], ecx
                                                test eax, eax
                                                jne 00007F2200557402h
                                                xor al, al
                                                pop esi
                                                ret
                                                mov al, 01h
                                                pop esi
                                                ret
                                                push ebp
                                                mov ebp, esp
                                                cmp dword ptr [ebp+08h], 00000000h
                                                jne 00007F2200557419h
                                                mov byte ptr [004680F4h], 00000001h
                                                call 00007F22005576CEh
                                                call 00007F220055A43Bh
                                                test al, al
                                                jne 00007F2200557416h
                                                xor al, al
                                                pop ebp
                                                ret
                                                call 00007F22005637F8h
                                                test al, al
                                                jne 00007F220055741Ch
                                                push 00000000h
                                                call 00007F220055A442h
                                                pop ecx
                                                jmp 00007F22005573FBh
                                                mov al, 01h
                                                pop ebp
                                                ret
                                                push ebp
                                                mov ebp, esp
                                                cmp byte ptr [004680F5h], 00000000h
                                                je 00007F2200557416h
                                                mov al, 01h

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2b5b00x3c.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x690000x1a8c.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x29be00x1c.rdata
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x29b200x40.rdata
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x220000x148.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x20d0f0x20e00e13a5776a0ed4655a44cc440cc250974False0.5821649239543726data6.632055157739106IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rdata0x220000x9d140x9e0088084451017105b1bf88cbc483fe6a3aFalse0.43599189082278483data4.974989141605991IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x2c0000x3cc080x3c0003a44a39d7483e8b1dd90252c7311abe5False0.9847330729166667DOS executable (block device driver \377\377\377\377)7.984086048070751IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .reloc0x690000x1a8c0x1c0003f78380ee09af8022ac36975739032aFalse0.7214006696428571data6.36135008718028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Imports

                                                DLLImport
                                                GDI32.dllGetMapMode
                                                KERNEL32.dllWaitForSingleObject, CloseHandle, FreeConsole, CreateThread, VirtualProtectEx, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, MultiByteToWideChar, LCMapStringEx, GetStringTypeW, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, CreateFileW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, GetFileType, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, HeapSize, WriteConsoleW

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Apr 18, 2024 18:28:50.473212957 CEST49699443192.168.2.6104.26.13.205
                                                Apr 18, 2024 18:28:50.473248959 CEST44349699104.26.13.205192.168.2.6
                                                Apr 18, 2024 18:28:50.473469019 CEST49699443192.168.2.6104.26.13.205
                                                Apr 18, 2024 18:28:50.521197081 CEST49699443192.168.2.6104.26.13.205
                                                Apr 18, 2024 18:28:50.521214008 CEST44349699104.26.13.205192.168.2.6
                                                Apr 18, 2024 18:28:50.748012066 CEST44349699104.26.13.205192.168.2.6
                                                Apr 18, 2024 18:28:50.748162031 CEST49699443192.168.2.6104.26.13.205
                                                Apr 18, 2024 18:28:50.752120018 CEST49699443192.168.2.6104.26.13.205
                                                Apr 18, 2024 18:28:50.752135992 CEST44349699104.26.13.205192.168.2.6
                                                Apr 18, 2024 18:28:50.752535105 CEST44349699104.26.13.205192.168.2.6
                                                Apr 18, 2024 18:28:50.793140888 CEST49699443192.168.2.6104.26.13.205
                                                Apr 18, 2024 18:28:50.820554018 CEST49699443192.168.2.6104.26.13.205
                                                Apr 18, 2024 18:28:50.864126921 CEST44349699104.26.13.205192.168.2.6
                                                Apr 18, 2024 18:28:51.053046942 CEST44349699104.26.13.205192.168.2.6
                                                Apr 18, 2024 18:28:51.053183079 CEST44349699104.26.13.205192.168.2.6
                                                Apr 18, 2024 18:28:51.053262949 CEST49699443192.168.2.6104.26.13.205
                                                Apr 18, 2024 18:28:51.061496973 CEST49699443192.168.2.6104.26.13.205
                                                Apr 18, 2024 18:28:52.223192930 CEST49700587192.168.2.631.192.214.172
                                                Apr 18, 2024 18:28:52.475507021 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:52.476077080 CEST49700587192.168.2.631.192.214.172
                                                Apr 18, 2024 18:28:53.076950073 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:53.090153933 CEST49700587192.168.2.631.192.214.172
                                                Apr 18, 2024 18:28:53.342488050 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:53.342856884 CEST49700587192.168.2.631.192.214.172
                                                Apr 18, 2024 18:28:53.597315073 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:53.597907066 CEST49700587192.168.2.631.192.214.172
                                                Apr 18, 2024 18:28:53.859363079 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:53.859400034 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:53.859419107 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:53.859437943 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:53.859524012 CEST49700587192.168.2.631.192.214.172
                                                Apr 18, 2024 18:28:53.859569073 CEST49700587192.168.2.631.192.214.172
                                                Apr 18, 2024 18:28:53.862119913 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:53.902386904 CEST49700587192.168.2.631.192.214.172
                                                Apr 18, 2024 18:28:53.912262917 CEST49700587192.168.2.631.192.214.172
                                                Apr 18, 2024 18:28:54.164932013 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:54.168112040 CEST49700587192.168.2.631.192.214.172
                                                Apr 18, 2024 18:28:54.420483112 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:54.421696901 CEST49700587192.168.2.631.192.214.172
                                                Apr 18, 2024 18:28:54.674455881 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:54.678726912 CEST49700587192.168.2.631.192.214.172
                                                Apr 18, 2024 18:28:54.973675966 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:55.014667988 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:55.014967918 CEST49700587192.168.2.631.192.214.172
                                                Apr 18, 2024 18:28:55.267065048 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:55.267127037 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:55.267497063 CEST49700587192.168.2.631.192.214.172
                                                Apr 18, 2024 18:28:55.558964014 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:55.577142954 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:55.577374935 CEST49700587192.168.2.631.192.214.172
                                                Apr 18, 2024 18:28:55.829405069 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:55.829464912 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:55.835869074 CEST49700587192.168.2.631.192.214.172
                                                Apr 18, 2024 18:28:55.836117983 CEST49700587192.168.2.631.192.214.172
                                                Apr 18, 2024 18:28:55.836144924 CEST49700587192.168.2.631.192.214.172
                                                Apr 18, 2024 18:28:55.836169958 CEST49700587192.168.2.631.192.214.172
                                                Apr 18, 2024 18:28:56.088090897 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:56.088123083 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:56.088545084 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:56.092376947 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:28:56.136816978 CEST49700587192.168.2.631.192.214.172
                                                Apr 18, 2024 18:30:31.683922052 CEST49700587192.168.2.631.192.214.172
                                                Apr 18, 2024 18:30:31.937190056 CEST5874970031.192.214.172192.168.2.6
                                                Apr 18, 2024 18:30:31.937952042 CEST49700587192.168.2.631.192.214.172

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Apr 18, 2024 18:28:50.363900900 CEST5552553192.168.2.61.1.1.1
                                                Apr 18, 2024 18:28:50.468190908 CEST53555251.1.1.1192.168.2.6
                                                Apr 18, 2024 18:28:51.667602062 CEST5404353192.168.2.61.1.1.1
                                                Apr 18, 2024 18:28:52.221893072 CEST53540431.1.1.1192.168.2.6

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Apr 18, 2024 18:28:50.363900900 CEST192.168.2.61.1.1.10x4542Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                Apr 18, 2024 18:28:51.667602062 CEST192.168.2.61.1.1.10xd553Standard query (0)mail.temikan.com.trA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Apr 18, 2024 18:28:50.468190908 CEST1.1.1.1192.168.2.60x4542No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                Apr 18, 2024 18:28:50.468190908 CEST1.1.1.1192.168.2.60x4542No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                Apr 18, 2024 18:28:50.468190908 CEST1.1.1.1192.168.2.60x4542No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                Apr 18, 2024 18:28:52.221893072 CEST1.1.1.1192.168.2.60xd553No error (0)mail.temikan.com.trtemikan.com.trCNAME (Canonical name)IN (0x0001)false
                                                Apr 18, 2024 18:28:52.221893072 CEST1.1.1.1192.168.2.60xd553No error (0)temikan.com.tr31.192.214.172A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • api.ipify.org

                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.649699104.26.13.2054436880C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-04-18 16:28:50 UTC155OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                Host: api.ipify.org
                                                Connection: Keep-Alive
                                                2024-04-18 16:28:51 UTC211INHTTP/1.1 200 OK
                                                Date: Thu, 18 Apr 2024 16:28:50 GMT
                                                Content-Type: text/plain
                                                Content-Length: 12
                                                Connection: close
                                                Vary: Origin
                                                CF-Cache-Status: DYNAMIC
                                                Server: cloudflare
                                                CF-RAY: 876607c248feb0bd-ATL
                                                2024-04-18 16:28:51 UTC12INData Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32
                                                Data Ascii: 81.181.57.52


                                                SMTP Packets

                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                Apr 18, 2024 18:28:53.076950073 CEST5874970031.192.214.172192.168.2.6220-ni-polo.guzelhosting.com ESMTP Exim 4.96.2 #2 Thu, 18 Apr 2024 19:28:50 +0300
                                                220-We do not authorize the use of this system to transport unsolicited,
                                                220 and/or bulk e-mail.
                                                Apr 18, 2024 18:28:53.090153933 CEST49700587192.168.2.631.192.214.172EHLO 609290
                                                Apr 18, 2024 18:28:53.342488050 CEST5874970031.192.214.172192.168.2.6250-ni-polo.guzelhosting.com Hello 609290 [81.181.57.52]
                                                250-SIZE 52428800
                                                250-8BITMIME
                                                250-PIPELINING
                                                250-PIPECONNECT
                                                250-AUTH PLAIN LOGIN
                                                250-STARTTLS
                                                250 HELP
                                                Apr 18, 2024 18:28:53.342856884 CEST49700587192.168.2.631.192.214.172STARTTLS
                                                Apr 18, 2024 18:28:53.597315073 CEST5874970031.192.214.172192.168.2.6220 TLS go ahead

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:1
                                                Start time:18:28:48
                                                Start date:18/04/2024
                                                Path:C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe"
                                                Imagebase:0xba0000
                                                File size:429'056 bytes
                                                MD5 hash:A6A52958BEC5F9BCA6D3DD49072B481B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:18:28:49
                                                Start date:18/04/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff66e660000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:18:28:49
                                                Start date:18/04/2024
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                Imagebase:0xa10000
                                                File size:65'440 bytes
                                                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3321463370.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3321463370.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3322261762.0000000002DCC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3322261762.0000000002DD4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3322261762.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3322261762.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:4.8%
                                                  Dynamic/Decrypted Code Coverage:0.4%
                                                  Signature Coverage:2.6%
                                                  Total number of Nodes:2000
                                                  Total number of Limit Nodes:46
                                                  execution_graph 19940 bad1bb 19941 bad6d5 ___scrt_uninitialize_crt 72 API calls 19940->19941 19942 bad1c3 19941->19942 19950 bb56d2 19942->19950 19944 bad1c8 19945 bb577d 14 API calls 19944->19945 19946 bad1d7 DeleteCriticalSection 19945->19946 19946->19944 19947 bad1f2 19946->19947 19948 bb2b89 ___free_lconv_mon 14 API calls 19947->19948 19949 bad1fd 19948->19949 19951 bb56de ___scrt_is_nonwritable_in_current_image 19950->19951 19960 bad06d EnterCriticalSection 19951->19960 19953 bb5755 19961 bb5774 19953->19961 19955 bb56e9 19955->19953 19957 bb5729 DeleteCriticalSection 19955->19957 19958 bad39a 73 API calls 19955->19958 19959 bb2b89 ___free_lconv_mon 14 API calls 19957->19959 19958->19955 19959->19955 19960->19955 19964 bad0b5 LeaveCriticalSection 19961->19964 19963 bb5761 19963->19944 19964->19963 18425 ba4ab9 18426 ba4adb 18425->18426 18430 ba4af0 18425->18430 18431 ba43b6 18426->18431 18434 ba43d0 18431->18434 18435 ba441f 18431->18435 18432 ba5c73 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 18433 ba4436 18432->18433 18433->18430 18437 badd85 18433->18437 18434->18435 18436 bae39d 71 API calls 18434->18436 18435->18432 18436->18435 18438 badd90 18437->18438 18439 badda5 18437->18439 18440 baf0de __strnicoll 14 API calls 18438->18440 18439->18438 18441 baddac 18439->18441 18442 badd95 18440->18442 18447 bae09b 18441->18447 18444 bacfcb __strnicoll 43 API calls 18442->18444 18446 badda0 18444->18446 18446->18430 18448 bae0ae _Fputc 18447->18448 18453 bade3a 18448->18453 18451 bab240 _Fputc 43 API calls 18452 baddbb 18451->18452 18452->18430 18457 bade46 ___scrt_is_nonwritable_in_current_image 18453->18457 18454 bade4c 18455 bacf4e _Fputc 29 API calls 18454->18455 18463 bade67 18455->18463 18456 bade80 18464 bad24d EnterCriticalSection 18456->18464 18457->18454 18457->18456 18459 bade8c 18465 badfaf 18459->18465 18461 badea3 18474 badecc 18461->18474 18463->18451 18464->18459 18466 badfc2 18465->18466 18467 badfd5 18465->18467 18466->18461 18477 baded6 18467->18477 18469 badff8 18470 bad607 ___scrt_uninitialize_crt 68 API calls 18469->18470 18473 bae086 18469->18473 18471 bae026 18470->18471 18481 bb7b7f 18471->18481 18473->18461 18490 bad261 LeaveCriticalSection 18474->18490 18476 baded4 18476->18463 18478 badf3f 18477->18478 18479 badee7 18477->18479 18478->18469 18479->18478 18484 bb7b3f 18479->18484 18482 bb7a5e __fread_nolock 45 API calls 18481->18482 18483 bb7b98 18482->18483 18483->18473 18485 bb7b53 _Fputc 18484->18485 18486 bb7a5e __fread_nolock 45 API calls 18485->18486 18487 bb7b68 18486->18487 18488 bab240 _Fputc 43 API calls 18487->18488 18489 bb7b77 18488->18489 18489->18478 18490->18476 16435 ba5dac 16436 ba5db8 ___scrt_is_nonwritable_in_current_image 16435->16436 16461 ba5fae 16436->16461 16438 ba5dbf 16439 ba5f18 16438->16439 16449 ba5de9 ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 16438->16449 16514 ba6798 IsProcessorFeaturePresent 16439->16514 16441 ba5f1f 16494 bb07a1 16441->16494 16446 ba5e08 16447 ba5e89 16472 bb03df 16447->16472 16449->16446 16449->16447 16497 bb077b 16449->16497 16451 ba5e8f 16476 ba1c39 16451->16476 16456 ba5eb4 16457 ba5ebd 16456->16457 16505 bb0756 16456->16505 16508 ba611f 16457->16508 16462 ba5fb7 16461->16462 16521 ba627c IsProcessorFeaturePresent 16462->16521 16466 ba5fcc 16466->16438 16467 ba5fc8 16467->16466 16531 bb23b8 16467->16531 16470 ba5fe3 16470->16438 16473 bb03e8 16472->16473 16474 bb03ed 16472->16474 16603 bb0139 16473->16603 16474->16451 17252 ba1e99 16476->17252 16480 ba1c64 17266 ba1a5b 16480->17266 16484 ba1c7f 17289 ba3109 16484->17289 16487 ba1cc2 16487->16487 17296 ba195b 16487->17296 16492 ba5c73 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 16493 ba1d30 16492->16493 16503 ba68b2 GetModuleHandleW 16493->16503 18119 bb0589 16494->18119 16498 bb0791 ___scrt_is_nonwritable_in_current_image std::_Lockit::_Lockit 16497->16498 16498->16447 16499 bb3f53 __Getctype 43 API calls 16498->16499 16502 bb246a 16499->16502 16500 baf0f1 __FrameHandler3::FrameUnwindToState 43 API calls 16501 bb2494 16500->16501 16502->16500 16504 ba5eb0 16503->16504 16504->16441 16504->16456 16506 bb0589 __FrameHandler3::FrameUnwindToState 23 API calls 16505->16506 16507 bb0761 16506->16507 16507->16457 16509 ba612b 16508->16509 16510 ba5ec6 16509->16510 18196 bb23ca 16509->18196 16510->16446 16512 ba6139 16513 ba900d ___scrt_uninitialize_crt 7 API calls 16512->16513 16513->16510 16515 ba67ae __fread_nolock __FrameHandler3::FrameUnwindToState 16514->16515 16516 ba6859 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16515->16516 16517 ba689d __FrameHandler3::FrameUnwindToState 16516->16517 16517->16441 16518 bb0765 16519 bb0589 __FrameHandler3::FrameUnwindToState 23 API calls 16518->16519 16520 ba5f2d 16519->16520 16522 ba5fc3 16521->16522 16523 ba8fee 16522->16523 16540 baa0c7 16523->16540 16526 ba8ff7 16526->16467 16528 ba8fff 16529 ba900a 16528->16529 16554 baa103 16528->16554 16529->16467 16594 bbcacb 16531->16594 16534 ba900d 16535 ba9020 16534->16535 16536 ba9016 16534->16536 16535->16466 16537 ba9186 ___vcrt_uninitialize_ptd 6 API calls 16536->16537 16538 ba901b 16537->16538 16539 baa103 ___vcrt_uninitialize_locks DeleteCriticalSection 16538->16539 16539->16535 16542 baa0d0 16540->16542 16543 baa0f9 16542->16543 16544 ba8ff3 16542->16544 16558 baa30c 16542->16558 16545 baa103 ___vcrt_uninitialize_locks DeleteCriticalSection 16543->16545 16544->16526 16546 ba9153 16544->16546 16545->16544 16575 baa21d 16546->16575 16549 ba9168 16549->16528 16552 ba9183 16552->16528 16555 baa12d 16554->16555 16556 baa10e 16554->16556 16555->16526 16557 baa118 DeleteCriticalSection 16556->16557 16557->16555 16557->16557 16563 baa132 16558->16563 16561 baa344 InitializeCriticalSectionAndSpinCount 16562 baa32f 16561->16562 16562->16542 16564 baa14f 16563->16564 16567 baa153 16563->16567 16564->16561 16564->16562 16565 baa1bb GetProcAddress 16565->16564 16567->16564 16567->16565 16568 baa1ac 16567->16568 16570 baa1d2 LoadLibraryExW 16567->16570 16568->16565 16569 baa1b4 FreeLibrary 16568->16569 16569->16565 16571 baa219 16570->16571 16572 baa1e9 GetLastError 16570->16572 16571->16567 16572->16571 16573 baa1f4 ___vcrt_FlsGetValue 16572->16573 16573->16571 16574 baa20a LoadLibraryExW 16573->16574 16574->16567 16576 baa132 ___vcrt_FlsGetValue 5 API calls 16575->16576 16577 baa237 16576->16577 16578 baa250 TlsAlloc 16577->16578 16579 ba915d 16577->16579 16579->16549 16580 baa2ce 16579->16580 16581 baa132 ___vcrt_FlsGetValue 5 API calls 16580->16581 16582 baa2e8 16581->16582 16583 baa303 TlsSetValue 16582->16583 16584 ba9176 16582->16584 16583->16584 16584->16552 16585 ba9186 16584->16585 16586 ba9196 16585->16586 16587 ba9190 16585->16587 16586->16549 16589 baa258 16587->16589 16590 baa132 ___vcrt_FlsGetValue 5 API calls 16589->16590 16591 baa272 16590->16591 16592 baa28a TlsFree 16591->16592 16593 baa27e 16591->16593 16592->16593 16593->16586 16595 bbcadb 16594->16595 16596 ba5fd5 16594->16596 16595->16596 16598 bb42f4 16595->16598 16596->16470 16596->16534 16599 bb42fb 16598->16599 16600 bb433e GetStdHandle 16599->16600 16601 bb43a0 16599->16601 16602 bb4351 GetFileType 16599->16602 16600->16599 16601->16595 16602->16599 16604 bb0142 16603->16604 16605 bb0158 16603->16605 16604->16605 16609 bb0165 16604->16609 16605->16474 16607 bb014f 16607->16605 16626 bb02d0 16607->16626 16610 bb016e 16609->16610 16611 bb0171 16609->16611 16610->16607 16634 bb9d87 16611->16634 16616 bb018e 16667 bb01bf 16616->16667 16617 bb0182 16661 bb2b89 16617->16661 16622 bb2b89 ___free_lconv_mon 14 API calls 16623 bb01b2 16622->16623 16624 bb2b89 ___free_lconv_mon 14 API calls 16623->16624 16625 bb01b8 16624->16625 16625->16607 16627 bb0341 16626->16627 16632 bb02df 16626->16632 16627->16605 16628 bb25a2 __Getctype 14 API calls 16628->16632 16629 bb0345 16630 bb2b89 ___free_lconv_mon 14 API calls 16629->16630 16630->16627 16631 bb8cd7 WideCharToMultiByte std::_Locinfo::_Locinfo_dtor 16631->16632 16632->16627 16632->16628 16632->16629 16632->16631 16633 bb2b89 ___free_lconv_mon 14 API calls 16632->16633 16633->16632 16635 bb0177 16634->16635 16636 bb9d90 16634->16636 16640 bba089 GetEnvironmentStringsW 16635->16640 16689 bb400e 16636->16689 16641 bba0a1 16640->16641 16646 bb017c 16640->16646 16642 bb8cd7 std::_Locinfo::_Locinfo_dtor WideCharToMultiByte 16641->16642 16643 bba0be 16642->16643 16644 bba0c8 FreeEnvironmentStringsW 16643->16644 16645 bba0d3 16643->16645 16644->16646 16647 bb2bc3 __strnicoll 15 API calls 16645->16647 16646->16616 16646->16617 16648 bba0da 16647->16648 16649 bba0f3 16648->16649 16650 bba0e2 16648->16650 16652 bb8cd7 std::_Locinfo::_Locinfo_dtor WideCharToMultiByte 16649->16652 16651 bb2b89 ___free_lconv_mon 14 API calls 16650->16651 16653 bba0e7 FreeEnvironmentStringsW 16651->16653 16654 bba103 16652->16654 16653->16646 16655 bba10a 16654->16655 16656 bba112 16654->16656 16657 bb2b89 ___free_lconv_mon 14 API calls 16655->16657 16658 bb2b89 ___free_lconv_mon 14 API calls 16656->16658 16659 bba110 FreeEnvironmentStringsW 16657->16659 16658->16659 16659->16646 16662 bb0188 16661->16662 16663 bb2b94 HeapFree 16661->16663 16662->16607 16663->16662 16664 bb2ba9 GetLastError 16663->16664 16665 bb2bb6 __dosmaperr 16664->16665 16666 baf0de __strnicoll 12 API calls 16665->16666 16666->16662 16668 bb01d4 16667->16668 16669 bb25a2 __Getctype 14 API calls 16668->16669 16670 bb01fb 16669->16670 16671 bb0203 16670->16671 16680 bb020d 16670->16680 16672 bb2b89 ___free_lconv_mon 14 API calls 16671->16672 16688 bb0195 16672->16688 16673 bb026a 16674 bb2b89 ___free_lconv_mon 14 API calls 16673->16674 16674->16688 16675 bb25a2 __Getctype 14 API calls 16675->16680 16676 bb0279 17242 bb02a1 16676->17242 16680->16673 16680->16675 16680->16676 16681 bb0294 16680->16681 16683 bb2b89 ___free_lconv_mon 14 API calls 16680->16683 17233 bb2495 16680->17233 17248 bacff8 IsProcessorFeaturePresent 16681->17248 16682 bb2b89 ___free_lconv_mon 14 API calls 16685 bb0286 16682->16685 16683->16680 16687 bb2b89 ___free_lconv_mon 14 API calls 16685->16687 16686 bb02a0 16687->16688 16688->16622 16690 bb4019 16689->16690 16691 bb401f 16689->16691 16737 bb53fa 16690->16737 16711 bb4025 16691->16711 16742 bb5439 16691->16742 16697 bb4049 16699 bb4051 16697->16699 16700 bb4066 16697->16700 16701 bb5439 __Getctype 6 API calls 16699->16701 16702 bb5439 __Getctype 6 API calls 16700->16702 16704 bb405d 16701->16704 16703 bb4072 16702->16703 16705 bb4076 16703->16705 16706 bb4085 16703->16706 16709 bb2b89 ___free_lconv_mon 14 API calls 16704->16709 16707 bb5439 __Getctype 6 API calls 16705->16707 16754 bb3d81 16706->16754 16707->16704 16709->16711 16713 bb402a 16711->16713 16759 baf0f1 16711->16759 16712 bb2b89 ___free_lconv_mon 14 API calls 16712->16713 16714 bb9b92 16713->16714 17039 bb9ce7 16714->17039 16770 bb51e9 16737->16770 16740 bb5431 TlsGetValue 16741 bb541f 16741->16691 16743 bb51e9 std::_Lockit::_Lockit 5 API calls 16742->16743 16744 bb5455 16743->16744 16745 bb5473 TlsSetValue 16744->16745 16746 bb4039 16744->16746 16746->16711 16747 bb25a2 16746->16747 16752 bb25af __Getctype 16747->16752 16748 bb25da HeapAlloc 16750 bb25ed 16748->16750 16748->16752 16749 bb25ef 16788 baf0de 16749->16788 16750->16697 16752->16748 16752->16749 16785 bafbbd 16752->16785 16825 bb3c15 16754->16825 16927 bb89ad 16759->16927 16762 baf101 16764 baf10b IsProcessorFeaturePresent 16762->16764 16765 baf12a 16762->16765 16766 baf117 16764->16766 16767 bb0765 __FrameHandler3::FrameUnwindToState 23 API calls 16765->16767 16957 bacdcf 16766->16957 16769 baf134 16767->16769 16771 bb5217 16770->16771 16776 bb5213 16770->16776 16771->16776 16777 bb511e 16771->16777 16774 bb5231 GetProcAddress 16775 bb5241 std::_Lockit::_Lockit 16774->16775 16774->16776 16775->16776 16776->16740 16776->16741 16783 bb512f ___vcrt_FlsGetValue 16777->16783 16778 bb51c5 16778->16774 16778->16776 16779 bb514d LoadLibraryExW 16780 bb5168 GetLastError 16779->16780 16781 bb51cc 16779->16781 16780->16783 16781->16778 16782 bb51de FreeLibrary 16781->16782 16782->16778 16783->16778 16783->16779 16784 bb519b LoadLibraryExW 16783->16784 16784->16781 16784->16783 16791 bafbea 16785->16791 16802 bb40a4 GetLastError 16788->16802 16790 baf0e3 16790->16750 16792 bafbf6 ___scrt_is_nonwritable_in_current_image 16791->16792 16797 bad06d EnterCriticalSection 16792->16797 16794 bafc01 16798 bafc3d 16794->16798 16797->16794 16801 bad0b5 LeaveCriticalSection 16798->16801 16800 bafbc8 16800->16752 16801->16800 16803 bb40ba 16802->16803 16804 bb40c0 16802->16804 16805 bb53fa __Getctype 6 API calls 16803->16805 16806 bb5439 __Getctype 6 API calls 16804->16806 16808 bb40c4 SetLastError 16804->16808 16805->16804 16807 bb40dc 16806->16807 16807->16808 16810 bb25a2 __Getctype 12 API calls 16807->16810 16808->16790 16811 bb40f1 16810->16811 16812 bb410a 16811->16812 16813 bb40f9 16811->16813 16814 bb5439 __Getctype 6 API calls 16812->16814 16815 bb5439 __Getctype 6 API calls 16813->16815 16816 bb4116 16814->16816 16817 bb4107 16815->16817 16818 bb411a 16816->16818 16819 bb4131 16816->16819 16821 bb2b89 ___free_lconv_mon 12 API calls 16817->16821 16820 bb5439 __Getctype 6 API calls 16818->16820 16822 bb3d81 __Getctype 12 API calls 16819->16822 16820->16817 16821->16808 16823 bb413c 16822->16823 16824 bb2b89 ___free_lconv_mon 12 API calls 16823->16824 16824->16808 16826 bb3c21 ___scrt_is_nonwritable_in_current_image 16825->16826 16839 bad06d EnterCriticalSection 16826->16839 16828 bb3c2b 16840 bb3c5b 16828->16840 16831 bb3d27 16832 bb3d33 ___scrt_is_nonwritable_in_current_image 16831->16832 16844 bad06d EnterCriticalSection 16832->16844 16834 bb3d3d 16845 bb3f08 16834->16845 16836 bb3d55 16849 bb3d75 16836->16849 16839->16828 16843 bad0b5 LeaveCriticalSection 16840->16843 16842 bb3c49 16842->16831 16843->16842 16844->16834 16846 bb3f3e __Getctype 16845->16846 16847 bb3f17 __Getctype 16845->16847 16846->16836 16847->16846 16852 bbb4d1 16847->16852 16926 bad0b5 LeaveCriticalSection 16849->16926 16851 bb3d63 16851->16712 16853 bbb551 16852->16853 16855 bbb4e7 16852->16855 16856 bb2b89 ___free_lconv_mon 14 API calls 16853->16856 16878 bbb59f 16853->16878 16855->16853 16859 bb2b89 ___free_lconv_mon 14 API calls 16855->16859 16873 bbb51a 16855->16873 16857 bbb573 16856->16857 16858 bb2b89 ___free_lconv_mon 14 API calls 16857->16858 16860 bbb586 16858->16860 16864 bbb50f 16859->16864 16866 bb2b89 ___free_lconv_mon 14 API calls 16860->16866 16861 bb2b89 ___free_lconv_mon 14 API calls 16862 bbb546 16861->16862 16867 bb2b89 ___free_lconv_mon 14 API calls 16862->16867 16863 bbb60d 16868 bb2b89 ___free_lconv_mon 14 API calls 16863->16868 16880 bba787 16864->16880 16865 bb2b89 ___free_lconv_mon 14 API calls 16870 bbb531 16865->16870 16871 bbb594 16866->16871 16867->16853 16872 bbb613 16868->16872 16908 bbac3b 16870->16908 16875 bb2b89 ___free_lconv_mon 14 API calls 16871->16875 16872->16846 16873->16865 16877 bbb53c 16873->16877 16875->16878 16876 bb2b89 14 API calls ___free_lconv_mon 16879 bbb5ad 16876->16879 16877->16861 16920 bbb642 16878->16920 16879->16863 16879->16876 16881 bba798 16880->16881 16907 bba881 16880->16907 16882 bba7a9 16881->16882 16883 bb2b89 ___free_lconv_mon 14 API calls 16881->16883 16884 bba7bb 16882->16884 16885 bb2b89 ___free_lconv_mon 14 API calls 16882->16885 16883->16882 16886 bba7cd 16884->16886 16887 bb2b89 ___free_lconv_mon 14 API calls 16884->16887 16885->16884 16888 bb2b89 ___free_lconv_mon 14 API calls 16886->16888 16889 bba7df 16886->16889 16887->16886 16888->16889 16890 bb2b89 ___free_lconv_mon 14 API calls 16889->16890 16891 bba7f1 16889->16891 16890->16891 16892 bba803 16891->16892 16893 bb2b89 ___free_lconv_mon 14 API calls 16891->16893 16894 bba815 16892->16894 16895 bb2b89 ___free_lconv_mon 14 API calls 16892->16895 16893->16892 16896 bba827 16894->16896 16897 bb2b89 ___free_lconv_mon 14 API calls 16894->16897 16895->16894 16898 bba839 16896->16898 16899 bb2b89 ___free_lconv_mon 14 API calls 16896->16899 16897->16896 16900 bba84b 16898->16900 16901 bb2b89 ___free_lconv_mon 14 API calls 16898->16901 16899->16898 16902 bba85d 16900->16902 16903 bb2b89 ___free_lconv_mon 14 API calls 16900->16903 16901->16900 16904 bba86f 16902->16904 16905 bb2b89 ___free_lconv_mon 14 API calls 16902->16905 16903->16902 16906 bb2b89 ___free_lconv_mon 14 API calls 16904->16906 16904->16907 16905->16904 16906->16907 16907->16873 16909 bbac48 16908->16909 16910 bbaca0 16908->16910 16911 bbac58 16909->16911 16912 bb2b89 ___free_lconv_mon 14 API calls 16909->16912 16910->16877 16913 bbac6a 16911->16913 16914 bb2b89 ___free_lconv_mon 14 API calls 16911->16914 16912->16911 16915 bbac7c 16913->16915 16916 bb2b89 ___free_lconv_mon 14 API calls 16913->16916 16914->16913 16917 bbac8e 16915->16917 16918 bb2b89 ___free_lconv_mon 14 API calls 16915->16918 16916->16915 16917->16910 16919 bb2b89 ___free_lconv_mon 14 API calls 16917->16919 16918->16917 16919->16910 16921 bbb64f 16920->16921 16922 bbb66e 16920->16922 16921->16922 16923 bbb156 __Getctype 14 API calls 16921->16923 16922->16879 16924 bbb668 16923->16924 16925 bb2b89 ___free_lconv_mon 14 API calls 16924->16925 16925->16922 16926->16851 16963 bb88df 16927->16963 16930 bb89f2 16931 bb89fe ___scrt_is_nonwritable_in_current_image 16930->16931 16932 bb40a4 __strnicoll 14 API calls 16931->16932 16936 bb8a2b __FrameHandler3::FrameUnwindToState 16931->16936 16937 bb8a25 __FrameHandler3::FrameUnwindToState 16931->16937 16932->16937 16933 bb8a72 16934 baf0de __strnicoll 14 API calls 16933->16934 16935 bb8a77 16934->16935 16974 bacfcb 16935->16974 16939 bb8a9e 16936->16939 16976 bad06d EnterCriticalSection 16936->16976 16937->16933 16937->16936 16956 bb8a5c 16937->16956 16942 bb8bd1 16939->16942 16943 bb8ae0 16939->16943 16953 bb8b0f 16939->16953 16945 bb8bdc 16942->16945 17008 bad0b5 LeaveCriticalSection 16942->17008 16943->16953 16977 bb3f53 GetLastError 16943->16977 16947 bb0765 __FrameHandler3::FrameUnwindToState 23 API calls 16945->16947 16949 bb8be4 16947->16949 16950 bb3f53 __Getctype 43 API calls 16954 bb8b64 16950->16954 16952 bb3f53 __Getctype 43 API calls 16952->16953 17004 bb8b7e 16953->17004 16955 bb3f53 __Getctype 43 API calls 16954->16955 16954->16956 16955->16956 16956->16762 16958 bacdeb __fread_nolock __FrameHandler3::FrameUnwindToState 16957->16958 16959 bace17 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16958->16959 16960 bacee8 __FrameHandler3::FrameUnwindToState 16959->16960 17031 ba5c73 16960->17031 16962 bacf06 16962->16765 16964 bb88eb ___scrt_is_nonwritable_in_current_image 16963->16964 16969 bad06d EnterCriticalSection 16964->16969 16966 bb88f9 16970 bb8937 16966->16970 16969->16966 16973 bad0b5 LeaveCriticalSection 16970->16973 16972 baf0f6 16972->16762 16972->16930 16973->16972 17009 bacf17 16974->17009 16976->16939 16978 bb3f69 16977->16978 16979 bb3f6f 16977->16979 16980 bb53fa __Getctype 6 API calls 16978->16980 16981 bb5439 __Getctype 6 API calls 16979->16981 16983 bb3f73 SetLastError 16979->16983 16980->16979 16982 bb3f8b 16981->16982 16982->16983 16984 bb25a2 __Getctype 14 API calls 16982->16984 16987 bb4008 16983->16987 16988 bb4003 16983->16988 16986 bb3fa0 16984->16986 16989 bb3fb9 16986->16989 16990 bb3fa8 16986->16990 16991 baf0f1 __FrameHandler3::FrameUnwindToState 41 API calls 16987->16991 16988->16952 16993 bb5439 __Getctype 6 API calls 16989->16993 16992 bb5439 __Getctype 6 API calls 16990->16992 16994 bb400d 16991->16994 16995 bb3fb6 16992->16995 16996 bb3fc5 16993->16996 17000 bb2b89 ___free_lconv_mon 14 API calls 16995->17000 16997 bb3fc9 16996->16997 16998 bb3fe0 16996->16998 16999 bb5439 __Getctype 6 API calls 16997->16999 17001 bb3d81 __Getctype 14 API calls 16998->17001 16999->16995 17000->16983 17002 bb3feb 17001->17002 17003 bb2b89 ___free_lconv_mon 14 API calls 17002->17003 17003->16983 17005 bb8b55 17004->17005 17006 bb8b84 17004->17006 17005->16950 17005->16954 17005->16956 17030 bad0b5 LeaveCriticalSection 17006->17030 17008->16945 17010 bacf29 _Fputc 17009->17010 17015 bacf4e 17010->17015 17016 bacf65 17015->17016 17017 bacf5e 17015->17017 17018 bacf41 17016->17018 17020 bacda6 _Fputc GetLastError SetLastError 17016->17020 17019 bab3c0 _Fputc 16 API calls 17017->17019 17024 bab240 17018->17024 17019->17016 17021 bacf9a 17020->17021 17021->17018 17022 bacff8 _Deallocate 11 API calls 17021->17022 17023 bacfca 17022->17023 17025 bab24c 17024->17025 17026 bab263 17025->17026 17028 bab410 _Fputc 43 API calls 17025->17028 17027 bab276 17026->17027 17029 bab410 _Fputc 43 API calls 17026->17029 17028->17026 17029->17027 17030->17005 17032 ba5c7b 17031->17032 17033 ba5c7c IsProcessorFeaturePresent 17031->17033 17032->16962 17035 ba64cd 17033->17035 17038 ba6490 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17035->17038 17037 ba65b0 17037->16962 17038->17037 17040 bb9cf3 ___scrt_is_nonwritable_in_current_image 17039->17040 17047 bb9d0d 17040->17047 17083 bad06d EnterCriticalSection 17040->17083 17042 bb9bbc 17050 bb9912 17042->17050 17043 bb9d49 17084 bb9d66 17043->17084 17044 bb9d1d 17044->17043 17049 bb2b89 ___free_lconv_mon 14 API calls 17044->17049 17046 baf0f1 __FrameHandler3::FrameUnwindToState 43 API calls 17048 bb9d86 17046->17048 17047->17042 17047->17046 17049->17043 17088 baf135 17050->17088 17083->17044 17087 bad0b5 LeaveCriticalSection 17084->17087 17086 bb9d6d 17086->17047 17087->17086 17089 baf153 17088->17089 17090 bb3f53 __Getctype 43 API calls 17089->17090 17091 baf174 17090->17091 17095 bb2c11 17091->17095 17096 baf18a 17095->17096 17097 bb2c24 17095->17097 17099 bb2c6f 17096->17099 17097->17096 17103 bbb71d 17097->17103 17100 bb2c97 17099->17100 17101 bb2c82 17099->17101 17101->17100 17124 bb9dcf 17101->17124 17104 bbb729 ___scrt_is_nonwritable_in_current_image 17103->17104 17105 bb3f53 __Getctype 43 API calls 17104->17105 17106 bbb732 17105->17106 17107 bbb778 17106->17107 17116 bad06d EnterCriticalSection 17106->17116 17107->17096 17109 bbb750 17117 bbb79e 17109->17117 17114 baf0f1 __FrameHandler3::FrameUnwindToState 43 API calls 17115 bbb79d 17114->17115 17116->17109 17118 bbb761 17117->17118 17119 bbb7ac __Getctype 17117->17119 17121 bbb77d 17118->17121 17119->17118 17120 bbb4d1 __Getctype 14 API calls 17119->17120 17120->17118 17122 bad0b5 std::_Lockit::~_Lockit LeaveCriticalSection 17121->17122 17123 bbb774 17122->17123 17123->17107 17123->17114 17125 bb3f53 __Getctype 43 API calls 17124->17125 17126 bb9dd4 17125->17126 17127 bb9ce7 __strnicoll 43 API calls 17126->17127 17128 bb9ddf 17127->17128 17128->17100 17234 bb24a3 17233->17234 17235 bb24b1 17233->17235 17234->17235 17240 bb24c9 17234->17240 17236 baf0de __strnicoll 14 API calls 17235->17236 17237 bb24b9 17236->17237 17238 bacfcb __strnicoll 43 API calls 17237->17238 17239 bb24c3 17238->17239 17239->16680 17240->17239 17241 baf0de __strnicoll 14 API calls 17240->17241 17241->17237 17246 bb02ae 17242->17246 17247 bb027f 17242->17247 17243 bb02c5 17245 bb2b89 ___free_lconv_mon 14 API calls 17243->17245 17244 bb2b89 ___free_lconv_mon 14 API calls 17244->17246 17245->17247 17246->17243 17246->17244 17247->16682 17249 bad004 17248->17249 17250 bacdcf __FrameHandler3::FrameUnwindToState 8 API calls 17249->17250 17251 bad019 GetCurrentProcess TerminateProcess 17250->17251 17251->16686 17253 ba1eb6 _strlen 17252->17253 17307 ba31b4 17253->17307 17255 ba1c5d 17256 ba5c86 17255->17256 17257 ba5c8b _Yarn 17256->17257 17258 ba5ca5 17257->17258 17259 bafbbd codecvt 2 API calls 17257->17259 17261 ba11df Concurrency::cancel_current_task 17257->17261 17258->16480 17259->17257 17260 ba5cb1 17260->17260 17261->17260 17262 ba71da Concurrency::cancel_current_task RaiseException 17261->17262 17263 ba11fb 17262->17263 17264 ba1155 std::bad_exception::bad_exception 43 API calls 17263->17264 17265 ba1208 17264->17265 17265->16480 17267 ba1b55 17266->17267 17276 ba1a8c 17266->17276 17362 ba1d34 17267->17362 17269 ba1e99 44 API calls std::ios_base::_Init 17269->17276 17271 ba5c73 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 17272 ba1b6f 17271->17272 17277 ba1d5a 17272->17277 17273 ba27d0 44 API calls 17273->17276 17274 bacc6d 46 API calls 17274->17276 17275 ba27aa 43 API calls std::ios_base::_Init 17275->17276 17276->17267 17276->17269 17276->17273 17276->17274 17276->17275 17278 ba1d66 __EH_prolog3_catch 17277->17278 17377 ba274b 17278->17377 17282 ba1e59 17413 ba2730 17282->17413 17285 ba1e61 codecvt 17285->16484 17286 ba1da5 std::ios_base::_Ios_base_dtor 17396 ba2479 17286->17396 17287 ba1dea 17404 ba18d9 17287->17404 17290 ba3b16 98 API calls 17289->17290 17291 ba3122 17290->17291 17292 ba3a56 72 API calls 17291->17292 17293 ba312d 17292->17293 17294 ba2d3d 44 API calls 17293->17294 17295 ba1c85 GetMapMode VirtualProtectEx FreeConsole 17294->17295 17295->16487 17298 ba197c 17296->17298 17297 ba1d5a 101 API calls 17297->17298 17298->17297 17299 ba3109 98 API calls 17298->17299 17300 ba1a42 17298->17300 17299->17298 17301 ba5c73 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 17300->17301 17302 ba1a54 CreateThread WaitForSingleObject CloseHandle 17301->17302 17303 ba27aa 17302->17303 18110 c07658 17302->18110 17304 ba1d21 17303->17304 17305 ba27b5 17303->17305 17304->16492 17306 ba37bf _Deallocate 43 API calls 17305->17306 17306->17304 17308 ba321f 17307->17308 17311 ba31c5 std::ios_base::_Init 17307->17311 17322 ba124e 17308->17322 17313 ba31cc std::ios_base::_Init 17311->17313 17314 ba3c5b 17311->17314 17313->17255 17315 ba3c6e 17314->17315 17316 ba3c66 17314->17316 17318 ba3c7a 17315->17318 17320 ba5c86 codecvt 44 API calls 17315->17320 17325 ba3c7d 17316->17325 17318->17313 17319 ba3c6c 17319->17313 17321 ba3c78 17320->17321 17321->17313 17351 ba3e5c 17322->17351 17326 ba3c8c 17325->17326 17328 ba11df Concurrency::cancel_current_task 17325->17328 17327 ba5c86 codecvt 44 API calls 17326->17327 17329 ba3c92 17327->17329 17339 ba71da 17328->17339 17331 ba3c99 17329->17331 17334 bacf17 __strnicoll 43 API calls 17329->17334 17331->17319 17332 ba11fb 17342 ba1155 17332->17342 17335 bacfea 17334->17335 17337 bacff8 _Deallocate 11 API calls 17335->17337 17338 bacff7 17337->17338 17340 ba7221 RaiseException 17339->17340 17341 ba71f4 17339->17341 17340->17332 17341->17340 17345 ba6a4b 17342->17345 17346 ba6a58 _Yarn 17345->17346 17350 ba1176 17345->17350 17347 bb2495 ___std_exception_copy 43 API calls 17346->17347 17349 ba6a85 17346->17349 17346->17350 17347->17349 17348 bac36b ctype 14 API calls 17348->17350 17349->17348 17350->17319 17356 ba3d7f 17351->17356 17354 ba71da Concurrency::cancel_current_task RaiseException 17355 ba3e7b 17354->17355 17359 ba1120 17356->17359 17360 ba6a4b ___std_exception_copy 43 API calls 17359->17360 17361 ba114c 17360->17361 17361->17354 17363 ba1b5e 17362->17363 17364 ba1d3c 17362->17364 17363->17271 17366 ba37bf 17364->17366 17367 ba37d9 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 17366->17367 17368 ba37cc 17366->17368 17367->17363 17370 ba122c 17368->17370 17371 ba1249 17370->17371 17372 ba1246 17370->17372 17373 bacf17 __strnicoll 43 API calls 17371->17373 17372->17367 17374 bacfea 17373->17374 17375 bacff8 _Deallocate 11 API calls 17374->17375 17376 bacff7 17375->17376 17379 ba2769 17377->17379 17378 ba1d79 17378->17287 17381 ba313b 17378->17381 17379->17378 17417 ba2d3d 17379->17417 17425 ba3cd5 17381->17425 17385 ba315f 17395 ba3172 17385->17395 17444 ba3a0c 17385->17444 17387 ba31a8 17387->17286 17390 ba3189 17452 ba52f5 17390->17452 17391 ba31ae 17455 ba1530 17391->17455 17437 ba3d2d 17395->17437 17397 ba24ae 17396->17397 17639 ba1104 17397->17639 17405 ba1934 17404->17405 17408 ba18f0 std::ios_base::_Init 17404->17408 17405->17282 17406 ba1929 17407 ba71da Concurrency::cancel_current_task RaiseException 17406->17407 17409 ba1942 17407->17409 17408->17406 18040 ba18b0 17408->18040 18043 ba149e 17409->18043 17414 ba2738 17413->17414 17415 ba2743 17414->17415 18106 ba2dfb 17414->18106 17415->17285 17418 ba2d49 __EH_prolog3_catch 17417->17418 17419 ba274b 44 API calls 17418->17419 17420 ba2dee codecvt 17418->17420 17423 ba2d68 17419->17423 17420->17378 17421 ba2de6 17422 ba2730 44 API calls 17421->17422 17422->17420 17423->17421 17424 ba18d9 std::ios_base::_Init 44 API calls 17423->17424 17424->17421 17426 ba3ceb 17425->17426 17427 ba3ce4 17425->17427 17429 ba314c 17426->17429 17466 ba587d EnterCriticalSection 17426->17466 17461 bad0cc 17427->17461 17431 ba165a 17429->17431 17432 ba168a 17431->17432 17433 ba1666 17431->17433 17432->17385 17434 ba3cd5 std::_Lockit::_Lockit 7 API calls 17433->17434 17435 ba1670 17434->17435 17436 ba3d2d std::_Lockit::~_Lockit 2 API calls 17435->17436 17436->17432 17438 bad0da 17437->17438 17439 ba3d37 17437->17439 17519 bad0b5 LeaveCriticalSection 17438->17519 17443 ba3d4a 17439->17443 17518 ba588b LeaveCriticalSection 17439->17518 17442 bad0e1 17442->17387 17443->17387 17445 ba3a1a 17444->17445 17446 ba3182 17444->17446 17445->17446 17447 ba5c86 codecvt 44 API calls 17445->17447 17446->17390 17446->17391 17448 ba3a27 codecvt 17447->17448 17520 ba1585 17448->17520 17453 ba5c86 codecvt 44 API calls 17452->17453 17454 ba5300 17453->17454 17454->17395 17456 ba153e Concurrency::cancel_current_task 17455->17456 17457 ba71da Concurrency::cancel_current_task RaiseException 17456->17457 17458 ba154c 17457->17458 17459 ba1155 std::bad_exception::bad_exception 43 API calls 17458->17459 17460 ba1559 17459->17460 17467 bb5651 17461->17467 17466->17429 17488 bb5000 17467->17488 17487 bb5683 17487->17487 17489 bb51e9 std::_Lockit::_Lockit 5 API calls 17488->17489 17490 bb5016 17489->17490 17491 bb501a 17490->17491 17492 bb51e9 std::_Lockit::_Lockit 5 API calls 17491->17492 17493 bb5030 17492->17493 17494 bb5034 17493->17494 17495 bb51e9 std::_Lockit::_Lockit 5 API calls 17494->17495 17496 bb504a 17495->17496 17497 bb504e 17496->17497 17498 bb51e9 std::_Lockit::_Lockit 5 API calls 17497->17498 17499 bb5064 17498->17499 17500 bb5068 17499->17500 17501 bb51e9 std::_Lockit::_Lockit 5 API calls 17500->17501 17502 bb507e 17501->17502 17503 bb5082 17502->17503 17504 bb51e9 std::_Lockit::_Lockit 5 API calls 17503->17504 17505 bb5098 17504->17505 17506 bb509c 17505->17506 17507 bb51e9 std::_Lockit::_Lockit 5 API calls 17506->17507 17508 bb50b2 17507->17508 17509 bb50b6 17508->17509 17510 bb51e9 std::_Lockit::_Lockit 5 API calls 17509->17510 17511 bb50cc 17510->17511 17512 bb50ea 17511->17512 17513 bb51e9 std::_Lockit::_Lockit 5 API calls 17512->17513 17514 bb5100 17513->17514 17515 bb50d0 17514->17515 17516 bb51e9 std::_Lockit::_Lockit 5 API calls 17515->17516 17517 bb50e6 17516->17517 17517->17487 17518->17443 17519->17442 17521 ba3cd5 std::_Lockit::_Lockit 7 API calls 17520->17521 17522 ba1591 17521->17522 17523 ba15bf 17522->17523 17524 ba15d2 17522->17524 17544 ba5425 17523->17544 17553 ba3e9c 17524->17553 17529 ba15dd 17635 ba5470 17529->17635 17532 ba15f6 17534 ba1609 17532->17534 17535 bac36b ctype 14 API calls 17532->17535 17533 bac36b ctype 14 API calls 17533->17532 17536 ba161a 17534->17536 17538 bac36b ctype 14 API calls 17534->17538 17535->17534 17537 ba162b 17536->17537 17539 bac36b ctype 14 API calls 17536->17539 17540 ba163c 17537->17540 17541 bac36b ctype 14 API calls 17537->17541 17538->17536 17539->17537 17542 ba164d 17540->17542 17543 bac36b ctype 14 API calls 17540->17543 17541->17540 17543->17542 17558 bae9a1 17544->17558 17548 ba5449 17549 ba5459 17548->17549 17550 bae9a1 std::_Locinfo::_Locinfo_dtor 70 API calls 17548->17550 17551 ba527f _Yarn 14 API calls 17549->17551 17550->17549 17552 ba15c9 17551->17552 17552->17529 17632 ba3df3 17553->17632 17556 ba71da Concurrency::cancel_current_task RaiseException 17557 ba3ebb 17556->17557 17559 bb5651 std::_Lockit::_Lockit 5 API calls 17558->17559 17560 bae9ae 17559->17560 17567 bae74c 17560->17567 17563 ba527f 17564 ba528d 17563->17564 17566 ba5299 _Yarn ctype 17563->17566 17565 bac36b ctype 14 API calls 17564->17565 17564->17566 17565->17566 17566->17548 17566->17566 17568 bae758 ___scrt_is_nonwritable_in_current_image 17567->17568 17575 bad06d EnterCriticalSection 17568->17575 17570 bae766 17576 bae7a7 17570->17576 17575->17570 17601 bae906 17576->17601 17578 bae7c2 17579 bb3f53 __Getctype 43 API calls 17578->17579 17597 bae773 17578->17597 17580 bae7cf 17579->17580 17625 bb8266 17580->17625 17583 bae7fb 17585 bacff8 _Deallocate 11 API calls 17583->17585 17583->17597 17584 bb2bc3 __strnicoll 15 API calls 17586 bae820 17584->17586 17587 bae905 17585->17587 17588 bb8266 std::_Locinfo::_Locinfo_dtor 45 API calls 17586->17588 17586->17597 17589 bae83c 17588->17589 17590 bae85e 17589->17590 17591 bae843 17589->17591 17594 bb2b89 ___free_lconv_mon 14 API calls 17590->17594 17595 bae889 17590->17595 17591->17583 17592 bae855 17591->17592 17593 bb2b89 ___free_lconv_mon 14 API calls 17592->17593 17593->17597 17594->17595 17596 bb2b89 ___free_lconv_mon 14 API calls 17595->17596 17595->17597 17596->17597 17598 bae79b 17597->17598 17631 bad0b5 LeaveCriticalSection 17598->17631 17600 ba5431 17600->17563 17602 bae912 17601->17602 17603 bae920 17601->17603 17604 bb125e std::_Locinfo::_Locinfo_dtor 67 API calls 17602->17604 17605 bb7ea4 std::_Locinfo::_Locinfo_dtor 45 API calls 17603->17605 17606 bae91c 17604->17606 17607 bae937 17605->17607 17606->17578 17608 bae996 17607->17608 17609 bb25a2 __Getctype 14 API calls 17607->17609 17610 bacff8 _Deallocate 11 API calls 17608->17610 17611 bae952 17609->17611 17612 bae9a0 17610->17612 17613 bae97a 17611->17613 17614 bb7ea4 std::_Locinfo::_Locinfo_dtor 45 API calls 17611->17614 17616 bb5651 std::_Lockit::_Lockit 5 API calls 17612->17616 17615 bb2b89 ___free_lconv_mon 14 API calls 17613->17615 17617 bae969 17614->17617 17618 bae98f 17615->17618 17619 bae9ae 17616->17619 17620 bae97c 17617->17620 17621 bae970 17617->17621 17618->17578 17622 bae74c std::_Locinfo::_Locinfo_dtor 70 API calls 17619->17622 17623 bb125e std::_Locinfo::_Locinfo_dtor 67 API calls 17620->17623 17621->17608 17621->17613 17624 bae9d7 17622->17624 17623->17613 17624->17578 17626 bb827a _Fputc 17625->17626 17627 bb7ee1 std::_Locinfo::_Locinfo_dtor 45 API calls 17626->17627 17628 bb8292 17627->17628 17629 bab240 _Fputc 43 API calls 17628->17629 17630 bae7f4 17629->17630 17630->17583 17630->17584 17631->17600 17633 ba1120 std::exception::exception 43 API calls 17632->17633 17634 ba3e05 17633->17634 17634->17556 17636 ba15e7 17635->17636 17637 ba547c 17635->17637 17636->17532 17636->17533 17638 bae9a1 std::_Locinfo::_Locinfo_dtor 70 API calls 17637->17638 17638->17636 17674 ba10d6 17639->17674 17642 ba2947 17643 ba297d 17642->17643 17797 ba3090 17643->17797 17645 ba29d3 std::ios_base::_Ios_base_dtor 17818 ba3020 17645->17818 17649 ba2a29 std::ios_base::_Ios_base_dtor 17650 ba2aa4 17649->17650 17840 ba2f07 17649->17840 17651 ba2adc 17650->17651 17652 ba2b73 17650->17652 17654 ba2b2b 17651->17654 17655 ba2ae3 17651->17655 17653 ba2914 71 API calls 17652->17653 17664 ba2b26 17653->17664 17657 ba2914 71 API calls 17654->17657 17847 ba28e8 17655->17847 17659 ba2b4e 17657->17659 17660 ba28e8 71 API calls 17659->17660 17660->17664 17662 ba2914 71 API calls 17662->17664 17836 ba2914 17664->17836 17666 ba28e8 71 API calls 17667 ba2bf7 17666->17667 17675 ba10ed _swprintf 17674->17675 17678 bac230 17675->17678 17679 bac244 _Fputc 17678->17679 17684 baa61a 17679->17684 17682 bab240 _Fputc 43 API calls 17683 ba10f7 17682->17683 17683->17642 17685 baa649 17684->17685 17686 baa626 17684->17686 17691 baa670 17685->17691 17692 baa4a6 17685->17692 17687 bacf4e _Fputc 29 API calls 17686->17687 17690 baa641 17687->17690 17688 bacf4e _Fputc 29 API calls 17688->17690 17690->17682 17691->17688 17691->17690 17693 baa4d2 17692->17693 17694 baa4f5 17692->17694 17695 bacf4e _Fputc 29 API calls 17693->17695 17694->17693 17696 baa4fd _swprintf 17694->17696 17702 baa4ea 17695->17702 17703 bab4e4 17696->17703 17697 ba5c73 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 17698 baa618 17697->17698 17698->17691 17702->17697 17720 bac176 17703->17720 17705 baa57e 17717 bab27c 17705->17717 17706 bab50b 17707 bacf4e _Fputc 29 API calls 17706->17707 17707->17705 17712 bab4fd _swprintf 17712->17705 17712->17706 17713 bab74c 17712->17713 17724 bac100 17712->17724 17731 bab46c 17712->17731 17734 bab7c4 17712->17734 17768 bab922 17712->17768 17714 bacf4e _Fputc 29 API calls 17713->17714 17715 bab768 17714->17715 17716 bacf4e _Fputc 29 API calls 17715->17716 17716->17705 17718 bb2b89 ___free_lconv_mon 14 API calls 17717->17718 17719 bab28c 17718->17719 17719->17702 17721 bac19a 17720->17721 17722 bac181 17720->17722 17721->17712 17723 bacf4e _Fputc 29 API calls 17722->17723 17723->17721 17725 bab410 _Fputc 43 API calls 17724->17725 17726 bac110 17725->17726 17727 bb2c3e _swprintf 43 API calls 17726->17727 17728 bac12d 17727->17728 17729 bb2c9c _swprintf 43 API calls 17728->17729 17730 bac13a 17729->17730 17730->17712 17732 baa7b4 _swprintf 43 API calls 17731->17732 17733 bab4a7 17732->17733 17733->17712 17735 bab7cb 17734->17735 17736 bab7e2 17734->17736 17737 bab821 17735->17737 17738 bab9ba 17735->17738 17739 bab949 17735->17739 17736->17737 17740 bacf4e _Fputc 29 API calls 17736->17740 17737->17712 17741 bab9bf 17738->17741 17742 baba0d 17738->17742 17743 bab94f 17739->17743 17744 bab9e7 17739->17744 17745 bab816 17740->17745 17746 baba01 17741->17746 17747 bab9c1 17741->17747 17742->17744 17749 bab98c 17742->17749 17766 bab971 _swprintf 17742->17766 17743->17749 17753 bab955 17743->17753 17750 baab5e _swprintf 30 API calls 17744->17750 17745->17712 17751 bac01e _swprintf 30 API calls 17746->17751 17748 bab9c6 17747->17748 17758 bab963 17747->17758 17748->17744 17752 bab9cb 17748->17752 17759 baacdb _swprintf 30 API calls 17749->17759 17767 bab985 _swprintf 17749->17767 17750->17766 17751->17766 17756 bab9de 17752->17756 17757 bab9d0 17752->17757 17755 bab9a1 17753->17755 17753->17758 17753->17766 17754 babd5e _swprintf 46 API calls 17754->17766 17762 babee8 _swprintf 45 API calls 17755->17762 17755->17767 17761 babf7d _swprintf 29 API calls 17756->17761 17763 bac001 _swprintf 30 API calls 17757->17763 17757->17767 17758->17754 17758->17766 17758->17767 17759->17766 17760 ba5c73 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 17764 babcae 17760->17764 17761->17766 17762->17766 17763->17766 17764->17712 17765 bb3817 _swprintf 45 API calls 17765->17766 17766->17765 17766->17767 17767->17760 17769 bab9ba 17768->17769 17770 bab949 17768->17770 17771 bab9bf 17769->17771 17772 baba0d 17769->17772 17773 bab94f 17770->17773 17774 bab9e7 17770->17774 17775 baba01 17771->17775 17776 bab9c1 17771->17776 17772->17774 17780 bab98c 17772->17780 17795 bab971 _swprintf 17772->17795 17773->17780 17785 bab955 17773->17785 17781 baab5e _swprintf 30 API calls 17774->17781 17779 bac01e _swprintf 30 API calls 17775->17779 17777 bab9c6 17776->17777 17778 bab963 17776->17778 17777->17774 17783 bab9cb 17777->17783 17782 babd5e _swprintf 46 API calls 17778->17782 17778->17795 17796 bab985 _swprintf 17778->17796 17779->17795 17788 baacdb _swprintf 30 API calls 17780->17788 17780->17796 17781->17795 17782->17795 17786 bab9de 17783->17786 17787 bab9d0 17783->17787 17784 bab9a1 17791 babee8 _swprintf 45 API calls 17784->17791 17784->17796 17785->17778 17785->17784 17785->17795 17790 babf7d _swprintf 29 API calls 17786->17790 17792 bac001 _swprintf 30 API calls 17787->17792 17787->17796 17788->17795 17789 ba5c73 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 17793 babcae 17789->17793 17790->17795 17791->17795 17792->17795 17793->17712 17794 bb3817 _swprintf 45 API calls 17794->17795 17795->17794 17795->17796 17796->17789 17798 ba3cd5 std::_Lockit::_Lockit 7 API calls 17797->17798 17799 ba30a1 17798->17799 17800 ba165a int 9 API calls 17799->17800 17801 ba30b4 17800->17801 17802 ba30c7 17801->17802 17851 ba1747 17801->17851 17803 ba3d2d std::_Lockit::~_Lockit 2 API calls 17802->17803 17804 ba30fd 17803->17804 17804->17645 17807 ba30de 17810 ba52f5 std::_Facet_Register 44 API calls 17807->17810 17808 ba3103 17809 ba1530 Concurrency::cancel_current_task 44 API calls 17808->17809 17811 ba3108 17809->17811 17810->17802 17861 ba3b16 17811->17861 17813 ba3122 17865 ba3a56 17813->17865 17815 ba312d 17816 ba2d3d 44 API calls 17815->17816 17817 ba3134 17816->17817 17817->17645 17957 ba3934 17818->17957 17820 ba29ee 17821 ba35f8 17820->17821 17822 ba3cd5 std::_Lockit::_Lockit 7 API calls 17821->17822 17823 ba3609 17822->17823 17824 ba165a int 9 API calls 17823->17824 17825 ba361c 17824->17825 17826 ba362f 17825->17826 17964 ba39b8 17825->17964 17827 ba3d2d std::_Lockit::~_Lockit 2 API calls 17826->17827 17828 ba3665 17827->17828 17828->17649 17831 ba366b 17833 ba1530 Concurrency::cancel_current_task 44 API calls 17831->17833 17832 ba3646 17834 ba52f5 std::_Facet_Register 44 API calls 17832->17834 17835 ba3670 17833->17835 17834->17826 17837 ba291f 17836->17837 17838 ba2935 17836->17838 17837->17838 18016 ba2ee6 17837->18016 17838->17666 17841 ba2f74 17840->17841 17843 ba2f18 17840->17843 18029 ba3085 17841->18029 17846 ba2f24 __fread_nolock std::ios_base::_Init 17843->17846 18020 ba37eb 17843->18020 17846->17649 17848 ba2903 17847->17848 17849 ba28f3 17847->17849 17848->17662 17849->17848 17850 ba2ee6 71 API calls 17849->17850 17850->17849 17852 ba1755 17851->17852 17860 ba178a 17851->17860 17853 ba5c86 codecvt 44 API calls 17852->17853 17852->17860 17854 ba1762 codecvt 17853->17854 17855 ba1585 codecvt 72 API calls 17854->17855 17856 ba1778 17855->17856 17875 ba1714 17856->17875 17859 ba15dd std::_Locinfo::~_Locinfo 70 API calls 17859->17860 17860->17807 17860->17808 17862 ba3b2a 17861->17862 17863 ba3090 98 API calls 17862->17863 17864 ba3b33 std::ios_base::_Ios_base_dtor 17863->17864 17864->17813 17866 ba3a62 __EH_prolog3_catch 17865->17866 17867 ba274b 44 API calls 17866->17867 17868 ba3a74 17867->17868 17869 ba3a7a 17868->17869 17921 ba3048 17868->17921 17871 ba18d9 std::ios_base::_Init 44 API calls 17869->17871 17872 ba3aff 17871->17872 17873 ba2730 44 API calls 17872->17873 17874 ba3b07 codecvt 17873->17874 17874->17815 17878 ba5564 17875->17878 17890 baeb14 17878->17890 17880 ba556d __Getctype 17881 ba5587 17880->17881 17882 ba55a5 17880->17882 17895 bae9d9 17881->17895 17884 bae9d9 __Getctype 43 API calls 17882->17884 17885 ba558e 17884->17885 17900 baeb39 17885->17900 17888 ba1734 17888->17859 17891 bb3f53 __Getctype 43 API calls 17890->17891 17892 baeb1f 17891->17892 17893 bb2c11 __Getctype 43 API calls 17892->17893 17894 baeb2f 17893->17894 17894->17880 17896 bb3f53 __Getctype 43 API calls 17895->17896 17897 bae9e4 17896->17897 17898 bb2c11 __Getctype 43 API calls 17897->17898 17899 bae9f4 17898->17899 17899->17885 17901 bb3f53 __Getctype 43 API calls 17900->17901 17902 baeb44 17901->17902 17903 bb2c11 __Getctype 43 API calls 17902->17903 17904 ba55b6 17903->17904 17904->17888 17905 baefe2 17904->17905 17906 baefef _Yarn 17905->17906 17909 baf02a 17905->17909 17906->17909 17912 bb887b 17906->17912 17909->17888 17922 ba3057 17921->17922 17923 ba3063 17922->17923 17925 ba4847 17922->17925 17923->17869 17929 ba486a 17925->17929 17933 ba4863 17925->17933 17926 ba5c73 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 17927 ba494d 17926->17927 17927->17923 17930 ba4910 17929->17930 17931 ba48b3 17929->17931 17929->17933 17930->17933 17937 bae39d 17930->17937 17931->17933 17934 ba3edc 17931->17934 17933->17926 17943 bada30 17934->17943 17938 bae3b0 _Fputc 17937->17938 17949 bae17c 17938->17949 17940 bae3c5 17941 bab240 _Fputc 43 API calls 17940->17941 17944 bada43 _Fputc 17943->17944 17945 bad8d6 _Fputc 45 API calls 17944->17945 17946 bada52 17945->17946 17947 bab240 _Fputc 43 API calls 17946->17947 17950 bae18a 17949->17950 17955 bae1b2 17949->17955 17951 bae1b9 17950->17951 17952 bae197 17950->17952 17950->17955 17954 bae0d5 71 API calls 17951->17954 17953 bacf4e _Fputc 29 API calls 17952->17953 17953->17955 17956 bae1f1 17954->17956 17955->17940 17956->17940 17958 ba39a5 17957->17958 17961 ba3945 std::ios_base::_Init 17957->17961 17959 ba124e std::ios_base::_Init 44 API calls 17958->17959 17960 ba39aa 17959->17960 17960->17820 17962 ba3c5b std::ios_base::_Init 44 API calls 17961->17962 17963 ba3955 __fread_nolock 17961->17963 17962->17963 17963->17820 17965 ba363f 17964->17965 17966 ba39c6 17964->17966 17965->17831 17965->17832 17966->17965 17967 ba5c86 codecvt 44 API calls 17966->17967 17968 ba39d3 codecvt 17967->17968 17969 ba1585 codecvt 72 API calls 17968->17969 17970 ba39e7 17969->17970 17974 ba3b80 17970->17974 17987 bac2b8 17974->17987 17988 bb3f53 __Getctype 43 API calls 17987->17988 17989 bac2c3 17988->17989 17990 bb2c11 __Getctype 43 API calls 17989->17990 17991 ba3b8e 17990->17991 18017 ba2ef9 18016->18017 18018 ba2ef0 18016->18018 18017->17837 18021 ba3874 18020->18021 18022 ba3804 std::ios_base::_Init 18020->18022 18023 ba124e std::ios_base::_Init 44 API calls 18021->18023 18025 ba3c5b std::ios_base::_Init 44 API calls 18022->18025 18024 ba3879 18023->18024 18026 ba3823 18025->18026 18027 ba37bf _Deallocate 43 API calls 18026->18027 18028 ba3859 18026->18028 18027->18028 18028->17846 18032 ba3e7c 18029->18032 18037 ba3dd4 18032->18037 18038 ba1120 std::exception::exception 43 API calls 18037->18038 18039 ba3de6 18038->18039 18046 ba142d 18040->18046 18044 ba1155 std::bad_exception::bad_exception 43 API calls 18043->18044 18045 ba14ac 18044->18045 18045->17282 18047 ba1e99 std::ios_base::_Init 44 API calls 18046->18047 18048 ba1451 18047->18048 18055 ba139d 18048->18055 18051 ba27aa std::ios_base::_Init 43 API calls 18052 ba146c 18051->18052 18053 ba5c73 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 18052->18053 18054 ba1480 18053->18054 18054->17406 18066 ba1ef2 18055->18066 18062 ba27aa std::ios_base::_Init 43 API calls 18063 ba13e0 18062->18063 18064 ba5c73 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 18063->18064 18065 ba13ff 18064->18065 18065->18051 18067 ba1f12 18066->18067 18086 ba3225 18067->18086 18069 ba13be 18070 ba131b 18069->18070 18071 ba134c 18070->18071 18072 ba1336 _strlen 18070->18072 18074 ba280b std::ios_base::_Init 44 API calls 18071->18074 18093 ba280b 18072->18093 18075 ba1372 18074->18075 18076 ba27aa std::ios_base::_Init 43 API calls 18075->18076 18077 ba137a std::ios_base::_Init 18076->18077 18078 ba27aa std::ios_base::_Init 43 API calls 18077->18078 18079 ba138d 18078->18079 18080 ba5c73 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 18079->18080 18081 ba139b 18080->18081 18082 ba1259 18081->18082 18083 ba1266 18082->18083 18084 ba1120 std::exception::exception 43 API calls 18083->18084 18085 ba126e 18084->18085 18085->18062 18087 ba3287 18086->18087 18089 ba3236 std::ios_base::_Init 18086->18089 18088 ba124e std::ios_base::_Init 44 API calls 18087->18088 18090 ba328c 18088->18090 18091 ba3c5b std::ios_base::_Init 44 API calls 18089->18091 18092 ba323d std::ios_base::_Init ctype 18089->18092 18091->18092 18092->18069 18094 ba284b 18093->18094 18096 ba2821 std::ios_base::_Init 18093->18096 18097 ba370b 18094->18097 18096->18071 18098 ba3728 std::ios_base::_Init 18097->18098 18099 ba37b9 18097->18099 18102 ba3c5b std::ios_base::_Init 44 API calls 18098->18102 18100 ba124e std::ios_base::_Init 44 API calls 18099->18100 18101 ba37be 18100->18101 18103 ba3747 std::ios_base::_Init 18102->18103 18104 ba3787 std::ios_base::_Init 18103->18104 18105 ba37bf _Deallocate 43 API calls 18103->18105 18104->18096 18105->18104 18108 ba2e07 __EH_prolog3_catch 18106->18108 18107 ba2e43 codecvt 18107->17415 18108->18107 18109 ba18d9 std::ios_base::_Init 44 API calls 18108->18109 18109->18107 18112 c0765d 18110->18112 18115 c07695 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 18112->18115 18114 c07872 WriteProcessMemory 18116 c078b7 18114->18116 18115->18114 18117 c078f9 WriteProcessMemory Wow64SetThreadContext ResumeThread 18116->18117 18118 c078bc WriteProcessMemory 18116->18118 18118->18116 18120 bb05c8 18119->18120 18121 bb05b6 18119->18121 18131 bb0451 18120->18131 18146 bb0651 GetModuleHandleW 18121->18146 18126 ba5f25 18126->16518 18132 bb045d ___scrt_is_nonwritable_in_current_image 18131->18132 18154 bad06d EnterCriticalSection 18132->18154 18134 bb0467 18155 bb049e 18134->18155 18136 bb0474 18159 bb0492 18136->18159 18139 bb0620 18184 bb0694 18139->18184 18142 bb063e 18144 bb06b6 __FrameHandler3::FrameUnwindToState 3 API calls 18142->18144 18143 bb062e GetCurrentProcess TerminateProcess 18143->18142 18145 bb0646 ExitProcess 18144->18145 18147 bb05bb 18146->18147 18147->18120 18148 bb06b6 GetModuleHandleExW 18147->18148 18149 bb0716 18148->18149 18150 bb06f5 GetProcAddress 18148->18150 18152 bb071c FreeLibrary 18149->18152 18153 bb05c7 18149->18153 18150->18149 18151 bb0709 18150->18151 18151->18149 18152->18153 18153->18120 18154->18134 18156 bb04aa ___scrt_is_nonwritable_in_current_image 18155->18156 18157 bb0511 __FrameHandler3::FrameUnwindToState 18156->18157 18162 bb2223 18156->18162 18157->18136 18183 bad0b5 LeaveCriticalSection 18159->18183 18161 bb0480 18161->18126 18161->18139 18163 bb222f __EH_prolog3 18162->18163 18166 bb1f7b 18163->18166 18165 bb2256 codecvt 18165->18157 18167 bb1f87 ___scrt_is_nonwritable_in_current_image 18166->18167 18174 bad06d EnterCriticalSection 18167->18174 18169 bb1f95 18175 bb2133 18169->18175 18174->18169 18176 bb1fa2 18175->18176 18177 bb2152 18175->18177 18179 bb1fca 18176->18179 18177->18176 18178 bb2b89 ___free_lconv_mon 14 API calls 18177->18178 18178->18176 18182 bad0b5 LeaveCriticalSection 18179->18182 18181 bb1fb3 18181->18165 18182->18181 18183->18161 18189 bba4b1 GetPEB 18184->18189 18187 bb069e GetPEB 18188 bb062a 18187->18188 18188->18142 18188->18143 18190 bba4cb 18189->18190 18191 bb0699 18189->18191 18193 bb526c 18190->18193 18191->18187 18191->18188 18194 bb51e9 std::_Lockit::_Lockit 5 API calls 18193->18194 18195 bb5288 18194->18195 18195->18191 18197 bb23e7 ___scrt_uninitialize_crt 18196->18197 18198 bb23d5 18196->18198 18197->16512 18199 bb23e3 18198->18199 18201 bad6d5 18198->18201 18199->16512 18204 bad562 18201->18204 18207 bad456 18204->18207 18208 bad462 ___scrt_is_nonwritable_in_current_image 18207->18208 18215 bad06d EnterCriticalSection 18208->18215 18210 bad4d8 18224 bad4f6 18210->18224 18211 bad46c ___scrt_uninitialize_crt 18211->18210 18216 bad3ca 18211->18216 18215->18211 18217 bad3d6 ___scrt_is_nonwritable_in_current_image 18216->18217 18227 bad24d EnterCriticalSection 18217->18227 18219 bad3e0 ___scrt_uninitialize_crt 18220 bad419 18219->18220 18228 bad670 18219->18228 18241 bad44a 18220->18241 18345 bad0b5 LeaveCriticalSection 18224->18345 18226 bad4e4 18226->18199 18227->18219 18229 bad685 _Fputc 18228->18229 18230 bad68c 18229->18230 18231 bad697 18229->18231 18232 bad562 ___scrt_uninitialize_crt 72 API calls 18230->18232 18244 bad607 18231->18244 18240 bad692 18232->18240 18235 bab240 _Fputc 43 API calls 18237 bad6cf 18235->18237 18237->18220 18238 bad6b8 18257 bb5a6e 18238->18257 18240->18235 18344 bad261 LeaveCriticalSection 18241->18344 18243 bad438 18243->18211 18245 bad647 18244->18245 18246 bad620 18244->18246 18245->18240 18250 bb3ab4 18245->18250 18246->18245 18247 bb3ab4 _Fputc 43 API calls 18246->18247 18248 bad63c 18247->18248 18268 bb6299 18248->18268 18251 bb3ac0 18250->18251 18252 bb3ad5 18250->18252 18253 baf0de __strnicoll 14 API calls 18251->18253 18252->18238 18254 bb3ac5 18253->18254 18255 bacfcb __strnicoll 43 API calls 18254->18255 18256 bb3ad0 18255->18256 18256->18238 18258 bb5a7f 18257->18258 18259 bb5a8c 18257->18259 18260 baf0de __strnicoll 14 API calls 18258->18260 18261 bb5ad5 18259->18261 18264 bb5ab3 18259->18264 18263 bb5a84 18260->18263 18262 baf0de __strnicoll 14 API calls 18261->18262 18265 bb5ada 18262->18265 18263->18240 18311 bb59cc 18264->18311 18267 bacfcb __strnicoll 43 API calls 18265->18267 18267->18263 18270 bb62a5 ___scrt_is_nonwritable_in_current_image 18268->18270 18269 bb6369 18271 bacf4e _Fputc 29 API calls 18269->18271 18270->18269 18272 bb62fa 18270->18272 18278 bb62ad 18270->18278 18271->18278 18279 bba630 EnterCriticalSection 18272->18279 18274 bb6300 18275 bb631d 18274->18275 18280 bb63a1 18274->18280 18308 bb6361 18275->18308 18278->18245 18279->18274 18281 bb63c6 18280->18281 18307 bb63e9 __fread_nolock 18280->18307 18282 bb63ca 18281->18282 18284 bb6428 18281->18284 18307->18275 18309 bba653 ___scrt_uninitialize_crt LeaveCriticalSection 18308->18309 18312 bb59d8 ___scrt_is_nonwritable_in_current_image 18311->18312 18324 bba630 EnterCriticalSection 18312->18324 18314 bb59e7 18324->18314 18344->18243 18345->18226 18511 ba10ac 18516 ba3ca8 18511->18516 18517 ba3cb8 18516->18517 18518 ba10b1 18516->18518 18517->18518 18523 ba5868 InitializeCriticalSectionEx 18517->18523 18520 ba6174 18518->18520 18524 ba6147 18520->18524 18523->18517 18525 ba615d 18524->18525 18526 ba6156 18524->18526 18533 bb228a 18525->18533 18530 bb220d 18526->18530 18529 ba10bb 18531 bb228a 46 API calls 18530->18531 18532 bb221f 18531->18532 18532->18529 18536 bb1fd6 18533->18536 18537 bb1fe2 ___scrt_is_nonwritable_in_current_image 18536->18537 18544 bad06d EnterCriticalSection 18537->18544 18539 bb1ff0 18545 bb2031 18539->18545 18541 bb1ffd 18555 bb2025 18541->18555 18544->18539 18546 bb204c 18545->18546 18547 bb20bf std::_Lockit::_Lockit 18545->18547 18546->18547 18548 bb209f 18546->18548 18558 bbca43 18546->18558 18547->18541 18548->18547 18549 bbca43 46 API calls 18548->18549 18551 bb20b5 18549->18551 18554 bb2b89 ___free_lconv_mon 14 API calls 18551->18554 18552 bb2095 18553 bb2b89 ___free_lconv_mon 14 API calls 18552->18553 18553->18548 18554->18547 18586 bad0b5 LeaveCriticalSection 18555->18586 18557 bb200e 18557->18529 18559 bbca6b 18558->18559 18560 bbca50 18558->18560 18562 bbca7a 18559->18562 18567 bbf7ff 18559->18567 18560->18559 18561 bbca5c 18560->18561 18563 baf0de __strnicoll 14 API calls 18561->18563 18574 bb8be5 18562->18574 18566 bbca61 __fread_nolock 18563->18566 18566->18552 18568 bbf80a 18567->18568 18569 bbf81f HeapSize 18567->18569 18570 baf0de __strnicoll 14 API calls 18568->18570 18569->18562 18571 bbf80f 18570->18571 18572 bacfcb __strnicoll 43 API calls 18571->18572 18573 bbf81a 18572->18573 18573->18562 18575 bb8bfd 18574->18575 18576 bb8bf2 18574->18576 18578 bb8c05 18575->18578 18584 bb8c0e __Getctype 18575->18584 18577 bb2bc3 __strnicoll 15 API calls 18576->18577 18583 bb8bfa 18577->18583 18579 bb2b89 ___free_lconv_mon 14 API calls 18578->18579 18579->18583 18580 bb8c38 HeapReAlloc 18580->18583 18580->18584 18581 bb8c13 18582 baf0de __strnicoll 14 API calls 18581->18582 18582->18583 18583->18566 18584->18580 18584->18581 18585 bafbbd codecvt 2 API calls 18584->18585 18585->18584 18586->18557 20135 bb65a1 20136 bb65ae 20135->20136 20140 bb65c6 20135->20140 20137 baf0de __strnicoll 14 API calls 20136->20137 20138 bb65b3 20137->20138 20139 bacfcb __strnicoll 43 API calls 20138->20139 20149 bb65be 20139->20149 20141 bb6625 20140->20141 20142 bb7b9d 14 API calls 20140->20142 20140->20149 20143 bb3ab4 _Fputc 43 API calls 20141->20143 20142->20141 20144 bb663e 20143->20144 20155 bb7485 20144->20155 20147 bb3ab4 _Fputc 43 API calls 20148 bb6677 20147->20148 20148->20149 20150 bb3ab4 _Fputc 43 API calls 20148->20150 20151 bb6685 20150->20151 20151->20149 20152 bb3ab4 _Fputc 43 API calls 20151->20152 20153 bb6693 20152->20153 20154 bb3ab4 _Fputc 43 API calls 20153->20154 20154->20149 20156 bb7491 ___scrt_is_nonwritable_in_current_image 20155->20156 20157 bb7499 20156->20157 20162 bb74b1 20156->20162 20158 baf0cb __dosmaperr 14 API calls 20157->20158 20161 bb749e 20158->20161 20159 bb756e 20160 baf0cb __dosmaperr 14 API calls 20159->20160 20163 bb7573 20160->20163 20164 baf0de __strnicoll 14 API calls 20161->20164 20162->20159 20165 bb74e7 20162->20165 20166 baf0de __strnicoll 14 API calls 20163->20166 20184 bb6646 20164->20184 20167 bb74f0 20165->20167 20168 bb7505 20165->20168 20170 bb74fd 20166->20170 20171 baf0cb __dosmaperr 14 API calls 20167->20171 20185 bba630 EnterCriticalSection 20168->20185 20177 bacfcb __strnicoll 43 API calls 20170->20177 20173 bb74f5 20171->20173 20172 bb750b 20175 bb753c 20172->20175 20176 bb7527 20172->20176 20174 baf0de __strnicoll 14 API calls 20173->20174 20174->20170 20179 bb7599 __fread_nolock 55 API calls 20175->20179 20178 baf0de __strnicoll 14 API calls 20176->20178 20177->20184 20180 bb752c 20178->20180 20181 bb7537 20179->20181 20182 baf0cb __dosmaperr 14 API calls 20180->20182 20186 bb7566 20181->20186 20182->20181 20184->20147 20184->20149 20185->20172 20189 bba653 LeaveCriticalSection 20186->20189 20188 bb756c 20188->20184 20189->20188 20190 bb43a4 20191 bb43b0 ___scrt_is_nonwritable_in_current_image 20190->20191 20202 bad06d EnterCriticalSection 20191->20202 20193 bb43b7 20203 bba592 20193->20203 20200 bb42f4 2 API calls 20201 bb43d5 20200->20201 20222 bb43fb 20201->20222 20202->20193 20204 bba59e ___scrt_is_nonwritable_in_current_image 20203->20204 20205 bba5c8 20204->20205 20206 bba5a7 20204->20206 20225 bad06d EnterCriticalSection 20205->20225 20208 baf0de __strnicoll 14 API calls 20206->20208 20209 bba5ac 20208->20209 20210 bacfcb __strnicoll 43 API calls 20209->20210 20212 bb43c6 20210->20212 20211 bba600 20233 bba627 20211->20233 20212->20201 20216 bb423e GetStartupInfoW 20212->20216 20213 bba5d4 20213->20211 20226 bba4e2 20213->20226 20217 bb425b 20216->20217 20218 bb42ef 20216->20218 20217->20218 20219 bba592 44 API calls 20217->20219 20218->20200 20220 bb4283 20219->20220 20220->20218 20221 bb42b3 GetFileType 20220->20221 20221->20220 20237 bad0b5 LeaveCriticalSection 20222->20237 20224 bb43e6 20225->20213 20227 bb25a2 __Getctype 14 API calls 20226->20227 20228 bba4f4 20227->20228 20230 bb54f6 6 API calls 20228->20230 20232 bba501 20228->20232 20229 bb2b89 ___free_lconv_mon 14 API calls 20231 bba556 20229->20231 20230->20228 20231->20213 20232->20229 20236 bad0b5 LeaveCriticalSection 20233->20236 20235 bba62e 20235->20212 20236->20235 20237->20224 20503 ba4bff 20504 ba4c0b __EH_prolog3_GS 20503->20504 20507 ba4c58 20504->20507 20508 ba4c71 20504->20508 20511 ba4c22 20504->20511 20519 ba3ebc 20507->20519 20522 bad76f 20508->20522 20559 ba619d 20511->20559 20513 ba27aa std::ios_base::_Init 43 API calls 20513->20511 20514 ba4c90 20515 ba4d30 20514->20515 20516 ba4d49 20514->20516 20518 bad76f 45 API calls 20514->20518 20542 ba27d0 20514->20542 20515->20513 20516->20515 20546 bae6ce 20516->20546 20518->20514 20520 bad76f 45 API calls 20519->20520 20521 ba3ec7 20520->20521 20521->20511 20523 bad77b ___scrt_is_nonwritable_in_current_image 20522->20523 20524 bad79d 20523->20524 20525 bad785 20523->20525 20562 bad24d EnterCriticalSection 20524->20562 20526 baf0de __strnicoll 14 API calls 20525->20526 20528 bad78a 20526->20528 20530 bacfcb __strnicoll 43 API calls 20528->20530 20529 bad7a7 20531 bad843 20529->20531 20532 bb3ab4 _Fputc 43 API calls 20529->20532 20536 bad795 _Fputc 20530->20536 20563 bad733 20531->20563 20538 bad7c4 20532->20538 20534 bad849 20570 bad873 20534->20570 20536->20514 20537 bad81b 20539 baf0de __strnicoll 14 API calls 20537->20539 20538->20531 20538->20537 20540 bad820 20539->20540 20541 bacfcb __strnicoll 43 API calls 20540->20541 20541->20536 20543 ba27f7 20542->20543 20544 ba27dc 20542->20544 20574 ba3671 20543->20574 20544->20514 20547 bae6da ___scrt_is_nonwritable_in_current_image 20546->20547 20548 bae6e1 20547->20548 20549 bae6f6 20547->20549 20550 baf0de __strnicoll 14 API calls 20548->20550 20583 bad24d EnterCriticalSection 20549->20583 20552 bae6e6 20550->20552 20554 bacfcb __strnicoll 43 API calls 20552->20554 20553 bae700 20584 bae5d5 20553->20584 20557 bae6f1 20554->20557 20557->20516 20560 ba5c73 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 20559->20560 20561 ba61a7 20560->20561 20561->20561 20562->20529 20564 bad73f 20563->20564 20568 bad754 __fread_nolock 20563->20568 20565 baf0de __strnicoll 14 API calls 20564->20565 20566 bad744 20565->20566 20567 bacfcb __strnicoll 43 API calls 20566->20567 20569 bad74f 20567->20569 20568->20534 20569->20534 20573 bad261 LeaveCriticalSection 20570->20573 20572 bad879 20572->20536 20573->20572 20575 ba3688 std::ios_base::_Init 20574->20575 20576 ba3705 20574->20576 20579 ba3c5b std::ios_base::_Init 44 API calls 20575->20579 20577 ba124e std::ios_base::_Init 44 API calls 20576->20577 20578 ba370a 20577->20578 20580 ba36a7 std::ios_base::_Init 20579->20580 20581 ba37bf _Deallocate 43 API calls 20580->20581 20582 ba36dc std::ios_base::_Init 20580->20582 20581->20582 20582->20544 20583->20553 20585 bae5ed 20584->20585 20587 bae65d 20584->20587 20586 bb3ab4 _Fputc 43 API calls 20585->20586 20590 bae5f3 20586->20590 20588 bb7b9d 14 API calls 20587->20588 20589 bae655 20587->20589 20588->20589 20595 bae739 20589->20595 20590->20587 20591 bae645 20590->20591 20592 baf0de __strnicoll 14 API calls 20591->20592 20593 bae64a 20592->20593 20594 bacfcb __strnicoll 43 API calls 20593->20594 20594->20589 20598 bad261 LeaveCriticalSection 20595->20598 20597 bae73f 20597->20557 20598->20597 20617 ba49d9 20618 ba49ed 20617->20618 20619 ba43b6 71 API calls 20618->20619 20624 ba4a48 20618->20624 20620 ba4a18 20619->20620 20621 ba4a35 20620->20621 20622 bae09b 70 API calls 20620->20622 20620->20624 20621->20624 20625 bad87b 20621->20625 20622->20621 20626 bad89b 20625->20626 20627 bad886 20625->20627 20629 bad8b8 20626->20629 20630 bad8a3 20626->20630 20628 baf0de __strnicoll 14 API calls 20627->20628 20631 bad88b 20628->20631 20639 bb6d26 20629->20639 20632 baf0de __strnicoll 14 API calls 20630->20632 20634 bacfcb __strnicoll 43 API calls 20631->20634 20635 bad8a8 20632->20635 20636 bad896 20634->20636 20637 bacfcb __strnicoll 43 API calls 20635->20637 20636->20624 20638 bad8b3 20637->20638 20638->20624 20640 bb6d3a _Fputc 20639->20640 20645 bb673b 20640->20645 20643 bab240 _Fputc 43 API calls 20644 bb6d54 20643->20644 20644->20638 20646 bb6747 ___scrt_is_nonwritable_in_current_image 20645->20646 20647 bb674e 20646->20647 20648 bb6771 20646->20648 20649 bacf4e _Fputc 29 API calls 20647->20649 20656 bad24d EnterCriticalSection 20648->20656 20655 bb6767 20649->20655 20651 bb677f 20657 bb67ca 20651->20657 20653 bb678e 20670 bb67c0 20653->20670 20655->20643 20656->20651 20658 bb67d9 20657->20658 20659 bb6801 20657->20659 20660 bacf4e _Fputc 29 API calls 20658->20660 20661 bb3ab4 _Fputc 43 API calls 20659->20661 20668 bb67f4 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20660->20668 20662 bb680a 20661->20662 20673 bb7b21 20662->20673 20665 bb68b4 20676 bb6b2a 20665->20676 20667 bb68cb 20667->20668 20688 bb696b 20667->20688 20668->20653 20695 bad261 LeaveCriticalSection 20670->20695 20672 bb67c8 20672->20655 20674 bb7938 47 API calls 20673->20674 20675 bb6828 20674->20675 20675->20665 20675->20667 20675->20668 20677 bb6b39 ___scrt_uninitialize_crt 20676->20677 20678 bb3ab4 _Fputc 43 API calls 20677->20678 20679 bb6b55 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20678->20679 20681 bb7b21 47 API calls 20679->20681 20687 bb6b61 20679->20687 20680 ba5c73 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 20682 bb6cd3 20680->20682 20683 bb6bb5 20681->20683 20682->20668 20684 bb6be7 ReadFile 20683->20684 20683->20687 20685 bb6c0e 20684->20685 20684->20687 20686 bb7b21 47 API calls 20685->20686 20686->20687 20687->20680 20689 bb3ab4 _Fputc 43 API calls 20688->20689 20690 bb697e 20689->20690 20691 bb7b21 47 API calls 20690->20691 20694 bb69c6 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20690->20694 20692 bb6a19 20691->20692 20693 bb7b21 47 API calls 20692->20693 20692->20694 20693->20694 20694->20668 20695->20672 20700 bb0bdf 20703 bb08ab 20700->20703 20704 bb08b7 ___scrt_is_nonwritable_in_current_image 20703->20704 20711 bad06d EnterCriticalSection 20704->20711 20706 bb08ef 20712 bb090d 20706->20712 20708 bb08c1 20708->20706 20710 bbb79e __Getctype 14 API calls 20708->20710 20710->20708 20711->20708 20715 bad0b5 LeaveCriticalSection 20712->20715 20714 bb08fb 20715->20714 19175 bbcac2 19176 bbcadb 19175->19176 19177 bbcaf9 19175->19177 19176->19177 19178 bb42f4 2 API calls 19176->19178 19178->19176 20768 ba4bc0 20769 ba4bf8 20768->20769 20770 ba4bc9 20768->20770 20770->20769 20773 bad6de 20770->20773 20772 ba4beb 20774 bad6f0 20773->20774 20777 bad6f9 ___scrt_uninitialize_crt 20773->20777 20775 bad562 ___scrt_uninitialize_crt 72 API calls 20774->20775 20776 bad6f6 20775->20776 20776->20772 20778 bad70a 20777->20778 20781 bad502 20777->20781 20778->20772 20782 bad50e ___scrt_is_nonwritable_in_current_image 20781->20782 20789 bad24d EnterCriticalSection 20782->20789 20784 bad51c 20785 bad670 ___scrt_uninitialize_crt 72 API calls 20784->20785 20786 bad52d 20785->20786 20790 bad556 20786->20790 20789->20784 20793 bad261 LeaveCriticalSection 20790->20793 20792 bad53f 20792->20772 20793->20792 19460 ba4221 19463 ba40f5 19460->19463 19462 ba422c std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 19464 ba4126 19463->19464 19465 ba4138 19464->19465 19467 ba4733 19464->19467 19465->19462 19468 ba473d 19467->19468 19469 ba475b 19467->19469 19470 ba43b6 71 API calls 19468->19470 19469->19465 19471 ba474a 19470->19471 19473 bad39a 19471->19473 19474 bad3ad _Fputc 19473->19474 19479 bad275 19474->19479 19476 bad3b9 19477 bab240 _Fputc 43 API calls 19476->19477 19478 bad3c5 19477->19478 19478->19469 19480 bad281 ___scrt_is_nonwritable_in_current_image 19479->19480 19481 bad28b 19480->19481 19482 bad2ae 19480->19482 19483 bacf4e _Fputc 29 API calls 19481->19483 19489 bad2a6 19482->19489 19490 bad24d EnterCriticalSection 19482->19490 19483->19489 19485 bad2cc 19491 bad30c 19485->19491 19487 bad2d9 19505 bad304 19487->19505 19489->19476 19490->19485 19492 bad319 19491->19492 19493 bad33c 19491->19493 19494 bacf4e _Fputc 29 API calls 19492->19494 19495 bad607 ___scrt_uninitialize_crt 68 API calls 19493->19495 19502 bad334 19493->19502 19494->19502 19496 bad354 19495->19496 19508 bb577d 19496->19508 19499 bb3ab4 _Fputc 43 API calls 19500 bad368 19499->19500 19512 bb584e 19500->19512 19502->19487 19504 bb2b89 ___free_lconv_mon 14 API calls 19504->19502 19554 bad261 LeaveCriticalSection 19505->19554 19507 bad30a 19507->19489 19509 bb5794 19508->19509 19511 bad35c 19508->19511 19510 bb2b89 ___free_lconv_mon 14 API calls 19509->19510 19509->19511 19510->19511 19511->19499 19513 bad36f 19512->19513 19514 bb5877 19512->19514 19513->19502 19513->19504 19515 bb58c6 19514->19515 19517 bb589e 19514->19517 19516 bacf4e _Fputc 29 API calls 19515->19516 19516->19513 19519 bb57bd 19517->19519 19520 bb57c9 ___scrt_is_nonwritable_in_current_image 19519->19520 19527 bba630 EnterCriticalSection 19520->19527 19522 bb57d7 19524 bb5808 19522->19524 19528 bb58f1 19522->19528 19541 bb5842 19524->19541 19527->19522 19529 bba707 __fread_nolock 43 API calls 19528->19529 19530 bb5901 19529->19530 19531 bb5907 19530->19531 19532 bb5939 19530->19532 19534 bba707 __fread_nolock 43 API calls 19530->19534 19544 bba676 19531->19544 19532->19531 19535 bba707 __fread_nolock 43 API calls 19532->19535 19536 bb5930 19534->19536 19537 bb5945 CloseHandle 19535->19537 19538 bba707 __fread_nolock 43 API calls 19536->19538 19537->19531 19539 bb5951 GetLastError 19537->19539 19538->19532 19539->19531 19540 bb595f __fread_nolock 19540->19524 19553 bba653 LeaveCriticalSection 19541->19553 19543 bb582b 19543->19513 19545 bba6ec 19544->19545 19546 bba685 19544->19546 19547 baf0de __strnicoll 14 API calls 19545->19547 19546->19545 19552 bba6af 19546->19552 19548 bba6f1 19547->19548 19549 baf0cb __dosmaperr 14 API calls 19548->19549 19550 bba6dc 19549->19550 19550->19540 19551 bba6d6 SetStdHandle 19551->19550 19552->19550 19552->19551 19553->19543 19554->19507 19561 bb3e1a 19562 bb3e35 19561->19562 19563 bb3e25 19561->19563 19567 bb3e3b 19563->19567 19566 bb2b89 ___free_lconv_mon 14 API calls 19566->19562 19568 bb3e56 19567->19568 19569 bb3e50 19567->19569 19570 bb2b89 ___free_lconv_mon 14 API calls 19568->19570 19571 bb2b89 ___free_lconv_mon 14 API calls 19569->19571 19572 bb3e62 19570->19572 19571->19568 19573 bb2b89 ___free_lconv_mon 14 API calls 19572->19573 19574 bb3e6d 19573->19574 19575 bb2b89 ___free_lconv_mon 14 API calls 19574->19575 19576 bb3e78 19575->19576 19577 bb2b89 ___free_lconv_mon 14 API calls 19576->19577 19578 bb3e83 19577->19578 19579 bb2b89 ___free_lconv_mon 14 API calls 19578->19579 19580 bb3e8e 19579->19580 19581 bb2b89 ___free_lconv_mon 14 API calls 19580->19581 19582 bb3e99 19581->19582 19583 bb2b89 ___free_lconv_mon 14 API calls 19582->19583 19584 bb3ea4 19583->19584 19585 bb2b89 ___free_lconv_mon 14 API calls 19584->19585 19586 bb3eaf 19585->19586 19587 bb2b89 ___free_lconv_mon 14 API calls 19586->19587 19588 bb3ebd 19587->19588 19593 bb3c67 19588->19593 19594 bb3c73 ___scrt_is_nonwritable_in_current_image 19593->19594 19609 bad06d EnterCriticalSection 19594->19609 19596 bb3ca7 19610 bb3cc6 19596->19610 19597 bb3c7d 19597->19596 19600 bb2b89 ___free_lconv_mon 14 API calls 19597->19600 19600->19596 19601 bb3cd2 19602 bb3cde ___scrt_is_nonwritable_in_current_image 19601->19602 19614 bad06d EnterCriticalSection 19602->19614 19604 bb3ce8 19605 bb3f08 __Getctype 14 API calls 19604->19605 19606 bb3cfb 19605->19606 19615 bb3d1b 19606->19615 19609->19597 19613 bad0b5 LeaveCriticalSection 19610->19613 19612 bb3cb4 19612->19601 19613->19612 19614->19604 19618 bad0b5 LeaveCriticalSection 19615->19618 19617 bb3d09 19617->19566 19618->19617 19660 ba4e14 19661 ba4e26 ctype 19660->19661 19662 ba4e2c 19661->19662 19663 ba4ed6 19661->19663 19666 badc4a 19661->19666 19663->19662 19665 badc4a __fread_nolock 57 API calls 19663->19665 19665->19662 19669 badc67 19666->19669 19670 badc73 ___scrt_is_nonwritable_in_current_image 19669->19670 19671 badcbd 19670->19671 19672 badc86 __fread_nolock 19670->19672 19681 badc62 19670->19681 19682 bad24d EnterCriticalSection 19671->19682 19674 baf0de __strnicoll 14 API calls 19672->19674 19676 badca0 19674->19676 19675 badcc7 19683 bada64 19675->19683 19678 bacfcb __strnicoll 43 API calls 19676->19678 19678->19681 19681->19661 19682->19675 19686 bada75 __fread_nolock 19683->19686 19695 bada91 19683->19695 19684 bada81 19685 baf0de __strnicoll 14 API calls 19684->19685 19687 bada86 19685->19687 19686->19684 19692 badad3 __fread_nolock 19686->19692 19686->19695 19688 bacfcb __strnicoll 43 API calls 19687->19688 19688->19695 19689 badbfa __fread_nolock 19693 baf0de __strnicoll 14 API calls 19689->19693 19690 bb3ab4 _Fputc 43 API calls 19690->19692 19691 badd04 __fread_nolock 43 API calls 19691->19692 19692->19689 19692->19690 19692->19691 19692->19695 19699 bb7599 19692->19699 19693->19687 19696 badcfc 19695->19696 19787 bad261 LeaveCriticalSection 19696->19787 19698 badd02 19698->19681 19700 bb75ab 19699->19700 19701 bb75c3 19699->19701 19703 baf0cb __dosmaperr 14 API calls 19700->19703 19702 bb7919 19701->19702 19708 bb7609 19701->19708 19705 baf0cb __dosmaperr 14 API calls 19702->19705 19704 bb75b0 19703->19704 19706 baf0de __strnicoll 14 API calls 19704->19706 19707 bb791e 19705->19707 19709 bb75b8 19706->19709 19710 baf0de __strnicoll 14 API calls 19707->19710 19708->19709 19711 bb7614 19708->19711 19717 bb7644 19708->19717 19709->19692 19712 bb7621 19710->19712 19713 baf0cb __dosmaperr 14 API calls 19711->19713 19715 bacfcb __strnicoll 43 API calls 19712->19715 19714 bb7619 19713->19714 19716 baf0de __strnicoll 14 API calls 19714->19716 19715->19709 19716->19712 19718 bb765d 19717->19718 19720 bb76a8 19717->19720 19721 bb7677 19717->19721 19719 bb7662 19718->19719 19718->19721 19727 bbe960 __fread_nolock 43 API calls 19719->19727 19724 bb2bc3 __strnicoll 15 API calls 19720->19724 19722 baf0cb __dosmaperr 14 API calls 19721->19722 19723 bb767c 19722->19723 19726 baf0de __strnicoll 14 API calls 19723->19726 19725 bb76b9 19724->19725 19728 bb2b89 ___free_lconv_mon 14 API calls 19725->19728 19729 bb7683 19726->19729 19730 bb77f5 19727->19730 19731 bb76c2 19728->19731 19732 bacfcb __strnicoll 43 API calls 19729->19732 19733 bb7869 19730->19733 19736 bb780e GetConsoleMode 19730->19736 19734 bb2b89 ___free_lconv_mon 14 API calls 19731->19734 19761 bb768e __fread_nolock 19732->19761 19735 bb786d ReadFile 19733->19735 19737 bb76c9 19734->19737 19738 bb78e1 GetLastError 19735->19738 19739 bb7885 19735->19739 19736->19733 19740 bb781f 19736->19740 19741 bb76ee 19737->19741 19742 bb76d3 19737->19742 19743 bb78ee 19738->19743 19744 bb7845 19738->19744 19739->19738 19750 bb785e 19739->19750 19740->19735 19745 bb7825 ReadConsoleW 19740->19745 19748 bb7b3f __fread_nolock 45 API calls 19741->19748 19747 baf0de __strnicoll 14 API calls 19742->19747 19749 baf0de __strnicoll 14 API calls 19743->19749 19752 baf084 __dosmaperr 14 API calls 19744->19752 19744->19761 19745->19750 19751 bb783f GetLastError 19745->19751 19746 bb2b89 ___free_lconv_mon 14 API calls 19746->19709 19753 bb76d8 19747->19753 19748->19719 19754 bb78f3 19749->19754 19757 bb78aa 19750->19757 19758 bb78c1 19750->19758 19750->19761 19751->19744 19752->19761 19755 baf0cb __dosmaperr 14 API calls 19753->19755 19756 baf0cb __dosmaperr 14 API calls 19754->19756 19755->19761 19756->19761 19762 bb72b3 19757->19762 19758->19761 19775 bb710b 19758->19775 19761->19746 19781 bb6fbf 19762->19781 19764 bb8c5b __strnicoll MultiByteToWideChar 19768 bb73c7 19764->19768 19766 bb7355 19773 bb7b3f __fread_nolock 45 API calls 19766->19773 19774 bb730f 19766->19774 19767 bb7345 19769 baf0de __strnicoll 14 API calls 19767->19769 19770 bb73d0 GetLastError 19768->19770 19771 bb72fb 19768->19771 19769->19771 19772 baf084 __dosmaperr 14 API calls 19770->19772 19771->19761 19772->19771 19773->19774 19774->19764 19776 bb7142 19775->19776 19777 bb71d2 19776->19777 19778 bb71d7 ReadFile 19776->19778 19777->19761 19778->19777 19779 bb71f4 19778->19779 19779->19777 19780 bb7b3f __fread_nolock 45 API calls 19779->19780 19780->19777 19782 bb6ff3 19781->19782 19783 bb7062 ReadFile 19782->19783 19784 bb705d 19782->19784 19783->19784 19785 bb707b 19783->19785 19784->19766 19784->19767 19784->19771 19784->19774 19785->19784 19786 bb7b3f __fread_nolock 45 API calls 19785->19786 19786->19784 19787->19698 19896 ba4673 19897 ba467a 19896->19897 19898 ba467f 19896->19898 19900 bad24d EnterCriticalSection 19897->19900 19900->19898 21115 ba4b68 21116 ba4b74 21115->21116 21117 ba4bab 21116->21117 21121 bae59b 21116->21121 21120 ba4521 43 API calls 21120->21117 21122 bae5ae _Fputc 21121->21122 21127 bae4d2 21122->21127 21124 bae5c3 21125 bab240 _Fputc 43 API calls 21124->21125 21126 ba4b98 21125->21126 21126->21117 21126->21120 21128 bae507 21127->21128 21129 bae4e4 21127->21129 21128->21129 21132 bae52e 21128->21132 21130 bacf4e _Fputc 29 API calls 21129->21130 21131 bae4ff 21130->21131 21131->21124 21135 bae3d7 21132->21135 21136 bae3e3 ___scrt_is_nonwritable_in_current_image 21135->21136 21143 bad24d EnterCriticalSection 21136->21143 21138 bae3f1 21144 bae432 21138->21144 21140 bae3fe 21153 bae426 21140->21153 21143->21138 21145 bad607 ___scrt_uninitialize_crt 68 API calls 21144->21145 21146 bae44d 21145->21146 21147 bb577d 14 API calls 21146->21147 21148 bae457 21147->21148 21149 bb25a2 __Getctype 14 API calls 21148->21149 21152 bae472 21148->21152 21150 bae496 21149->21150 21151 bb2b89 ___free_lconv_mon 14 API calls 21150->21151 21151->21152 21152->21140 21156 bad261 LeaveCriticalSection 21153->21156 21155 bae40f 21155->21124 21156->21155 18346 bb6d67 18347 bb3ab4 _Fputc 43 API calls 18346->18347 18350 bb6d74 18347->18350 18348 bb6d80 18349 bb6dcc 18349->18348 18352 bb6e2e 18349->18352 18377 bb3af0 18349->18377 18350->18348 18350->18349 18369 bb6f2f 18350->18369 18358 bb6e5d 18352->18358 18359 bb3ab4 _Fputc 43 API calls 18358->18359 18360 bb6e6c 18359->18360 18361 bb6e7f 18360->18361 18362 bb6f12 18360->18362 18363 bb6e9c 18361->18363 18367 bb6ec3 18361->18367 18364 bb6299 ___scrt_uninitialize_crt 68 API calls 18362->18364 18365 bb6299 ___scrt_uninitialize_crt 68 API calls 18363->18365 18366 bb6e3f 18364->18366 18365->18366 18367->18366 18388 bb7ae1 18367->18388 18370 bb6f45 18369->18370 18371 bb6f49 18369->18371 18370->18349 18372 bba707 __fread_nolock 43 API calls 18371->18372 18376 bb6f98 18371->18376 18373 bb6f6a 18372->18373 18374 bb6f72 SetFilePointerEx 18373->18374 18373->18376 18375 bb6f89 GetFileSizeEx 18374->18375 18374->18376 18375->18376 18376->18349 18379 bb3afc 18377->18379 18378 bb3b1d 18378->18352 18383 bb7b9d 18378->18383 18379->18378 18380 bb3ab4 _Fputc 43 API calls 18379->18380 18381 bb3b17 18380->18381 18416 bbe960 18381->18416 18384 bb25a2 __Getctype 14 API calls 18383->18384 18385 bb7bba 18384->18385 18386 bb2b89 ___free_lconv_mon 14 API calls 18385->18386 18387 bb7bc4 18386->18387 18387->18352 18389 bb7af5 _Fputc 18388->18389 18394 bb7938 18389->18394 18392 bab240 _Fputc 43 API calls 18393 bb7b19 18392->18393 18393->18366 18395 bb7944 ___scrt_is_nonwritable_in_current_image 18394->18395 18396 bb7a22 18395->18396 18398 bb794c 18395->18398 18399 bb79a0 18395->18399 18397 bacf4e _Fputc 29 API calls 18396->18397 18397->18398 18398->18392 18405 bba630 EnterCriticalSection 18399->18405 18401 bb79a6 18402 bb79cb 18401->18402 18406 bb7a5e 18401->18406 18412 bb7a1a 18402->18412 18405->18401 18407 bba707 __fread_nolock 43 API calls 18406->18407 18408 bb7a70 18407->18408 18409 bb7a8c SetFilePointerEx 18408->18409 18411 bb7a78 __fread_nolock 18408->18411 18410 bb7aa4 GetLastError 18409->18410 18409->18411 18410->18411 18411->18402 18415 bba653 LeaveCriticalSection 18412->18415 18414 bb7a20 18414->18398 18415->18414 18417 bbe97a 18416->18417 18418 bbe96d 18416->18418 18420 bbe986 18417->18420 18421 baf0de __strnicoll 14 API calls 18417->18421 18419 baf0de __strnicoll 14 API calls 18418->18419 18422 bbe972 18419->18422 18420->18378 18423 bbe9a7 18421->18423 18422->18378 18424 bacfcb __strnicoll 43 API calls 18423->18424 18424->18422

                                                  Executed Functions

                                                  Function 00C0765D Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282threadinjectionmemoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C077CC
                                                  • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00C077DF
                                                  • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 00C077FD
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00C07821
                                                  • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 00C0784C
                                                  • WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 00C078A4
                                                  • WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 00C078EF
                                                  • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00C0792D
                                                  • Wow64SetThreadContext.KERNEL32(?,?), ref: 00C07969
                                                  • ResumeThread.KERNELBASE(?), ref: 00C07978
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                                  • String ID: GetP$Load$aryA$ress
                                                  • API String ID: 2687962208-977067982
                                                  • Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                  • Instruction ID: 325aeaf332111adc57c95a5635d661d2786f87777f4ac56eee36315c382ed89e
                                                  • Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                  • Instruction Fuzzy Hash: 99B1F47260028AAFDB60CF68CC80BDA73A5FF88714F158124EA18AB341D774FA41CB94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BBA4B1 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 750bb6e24bacf6c6c1fe22d30eab7ef70185d3f4fb1221bc52ea6ae82660aa2b
                                                  • Instruction ID: b38431a99a545ec3262524b93ca70ce3f3fc846fa93bf1af3a7c2a67181ed772
                                                  • Opcode Fuzzy Hash: 750bb6e24bacf6c6c1fe22d30eab7ef70185d3f4fb1221bc52ea6ae82660aa2b
                                                  • Instruction Fuzzy Hash: 5EE08C32912228EBCB25DB88C94899AF3ECEB45B00B1544A6B901E3210C2B0DE00D7D1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BB0694 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9a398322db21a4a0fba5e59ad2640d5830a167ac53607654cde88f89d890111d
                                                  • Instruction ID: 2c8cb93e67750a9f168e5a74bede1a9d1a4b69aa54821a9c82fd2a98982e1394
                                                  • Opcode Fuzzy Hash: 9a398322db21a4a0fba5e59ad2640d5830a167ac53607654cde88f89d890111d
                                                  • Instruction Fuzzy Hash: 65C01274A10A2047CE29A91482723FA3394F3D2782F8004CCC4030A782C5DE9C82DA81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA1C39 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89synchronizationthreadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 00BA1E99: _strlen.LIBCMT ref: 00BA1EB1
                                                    • Part of subcall function 00BA1D5A: __EH_prolog3_catch.LIBCMT ref: 00BA1D61
                                                  • GetMapMode.GDI32(?,?,?,006:107@4:@00007:277@0:@004:@04:@008:@08:@08:@8:@7:2@3:@9:193@4:@), ref: 00BA1C90
                                                  • VirtualProtectEx.KERNELBASE(000000FF,00C074D0,000004AC,00000040,?), ref: 00BA1CAE
                                                  • FreeConsole.KERNELBASE ref: 00BA1CB4
                                                  • CreateThread.KERNELBASE(00000000,00000000,Function_00067658,00BCCAD0,00000000,?), ref: 00BA1D00
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00BA1D0B
                                                  • CloseHandle.KERNEL32(00000000), ref: 00BA1D12
                                                  Strings
                                                  • 006:107@4:@00007:277@0:@004:@04:@008:@08:@08:@8:@7:2@3:@9:193@4:@, xrefs: 00BA1C4F
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseConsoleCreateFreeH_prolog3_catchHandleModeObjectProtectSingleThreadVirtualWait_strlen
                                                  • String ID: 006:107@4:@00007:277@0:@004:@04:@008:@08:@08:@8:@7:2@3:@9:193@4:@
                                                  • API String ID: 1073060540-32248209
                                                  • Opcode ID: 51244b1a54365cedd2b04805a79dad299137adf7fb8dacd33b53971b51be29fb
                                                  • Instruction ID: 04af1992adb330e8e5695a14ead64d59c2b3a1d23ef549dc3dabf77c38a3ca30
                                                  • Opcode Fuzzy Hash: 51244b1a54365cedd2b04805a79dad299137adf7fb8dacd33b53971b51be29fb
                                                  • Instruction Fuzzy Hash: 5F210B715083106BD728AB389C1AD9B7BD8EF4A720F100B5EF46A571D1DE206D06C7A5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BB511E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 42 bb511e-bb512a 43 bb51bc-bb51bf 42->43 44 bb512f-bb5140 43->44 45 bb51c5 43->45 47 bb514d-bb5166 LoadLibraryExW 44->47 48 bb5142-bb5145 44->48 46 bb51c7-bb51cb 45->46 51 bb5168-bb5171 GetLastError 47->51 52 bb51cc-bb51dc 47->52 49 bb514b 48->49 50 bb51e5-bb51e7 48->50 54 bb51b9 49->54 50->46 55 bb51aa-bb51b7 51->55 56 bb5173-bb5185 call bb2568 51->56 52->50 53 bb51de-bb51df FreeLibrary 52->53 53->50 54->43 55->54 56->55 59 bb5187-bb5199 call bb2568 56->59 59->55 62 bb519b-bb51a8 LoadLibraryExW 59->62 62->52 62->55
                                                  APIs
                                                  • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,F8250000,?,66377BDF,?,00BB522B,00BAB276,?,F8250000,00000000), ref: 00BB51DF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeLibrary
                                                  • String ID: api-ms-$ext-ms-
                                                  • API String ID: 3664257935-537541572
                                                  • Opcode ID: ba5ebef5625be32f2ef0e3b38e15c5fa391d4e7233932b2d9785ea37481df961
                                                  • Instruction ID: 921042809a9ca583d315d715a70f54a6bae5f1e9900b212d6bbb311e9f3c914d
                                                  • Opcode Fuzzy Hash: ba5ebef5625be32f2ef0e3b38e15c5fa391d4e7233932b2d9785ea37481df961
                                                  • Instruction Fuzzy Hash: 5721F371A01A11EBD7329B29DC40FBE37D8EF11760F220191E816B7291DBB0ED00C6E2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA3090 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00BA309C
                                                  • int.LIBCPMT ref: 00BA30AF
                                                    • Part of subcall function 00BA165A: std::_Lockit::_Lockit.LIBCPMT ref: 00BA166B
                                                    • Part of subcall function 00BA165A: std::_Lockit::~_Lockit.LIBCPMT ref: 00BA1685
                                                  • std::_Facet_Register.LIBCPMT ref: 00BA30E2
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00BA30F8
                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00BA3103
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                  • String ID:
                                                  • API String ID: 2081738530-0
                                                  • Opcode ID: 119c9ab62fac3bff8d34985fac8251fd3d696b44353e5fdaada6575aeb7e2699
                                                  • Instruction ID: 17758a37cc7778542fffc815a5961fa2471ebf45a7836dbc82273f25ce7fd3cf
                                                  • Opcode Fuzzy Hash: 119c9ab62fac3bff8d34985fac8251fd3d696b44353e5fdaada6575aeb7e2699
                                                  • Instruction Fuzzy Hash: EB11277260C528ABCB14AB5CDC16EAD77E8DF46B60F1402C9F9559B281EF70AF0187D4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BB0620 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00BB0776,?,00BB061A,00000000,?,?,00BB0776,66377BDF,?,00BB0776), ref: 00BB0631
                                                  • TerminateProcess.KERNEL32(00000000,?,00BB061A,00000000,?,?,00BB0776,66377BDF,?,00BB0776), ref: 00BB0638
                                                  • ExitProcess.KERNEL32 ref: 00BB064A
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CurrentExitTerminate
                                                  • String ID:
                                                  • API String ID: 1703294689-0
                                                  • Opcode ID: 729827ef36ccd7bd5bc15245a436c7d308505f022efd99e56088d0d8cb9d372c
                                                  • Instruction ID: 9907f40e2eeb502d6ab5e6741dc722b9ded36b3aa032a7ab49c587636bf536bd
                                                  • Opcode Fuzzy Hash: 729827ef36ccd7bd5bc15245a436c7d308505f022efd99e56088d0d8cb9d372c
                                                  • Instruction Fuzzy Hash: B3D09231010208AFCF113FA0DD0ECFE3F6AEF98341B004061B90A4A172DFB599A6DA98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BB63A1 Relevance: 3.2, APIs: 2, Instructions: 191fileCOMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 99 bb63a1-bb63c0 100 bb659a 99->100 101 bb63c6-bb63c8 99->101 104 bb659c-bb65a0 100->104 102 bb63ca-bb63e9 call bacf4e 101->102 103 bb63f4-bb641a 101->103 110 bb63ec-bb63ef 102->110 106 bb641c-bb641e 103->106 107 bb6420-bb6426 103->107 106->107 109 bb6428-bb6432 106->109 107->102 107->109 111 bb6442-bb644d call bb5f25 109->111 112 bb6434-bb643f call bb7b7f 109->112 110->104 117 bb648f-bb64a1 111->117 118 bb644f-bb6454 111->118 112->111 121 bb64a3-bb64a9 117->121 122 bb64f2-bb6512 WriteFile 117->122 119 bb6479-bb648d call bb5aeb 118->119 120 bb6456-bb645a 118->120 141 bb6472-bb6474 119->141 123 bb6562-bb6574 120->123 124 bb6460-bb646f call bb5ebd 120->124 128 bb64ab-bb64ae 121->128 129 bb64e0-bb64eb call bb5fa3 121->129 126 bb651d 122->126 127 bb6514-bb651a GetLastError 122->127 130 bb657e-bb6590 123->130 131 bb6576-bb657c 123->131 124->141 135 bb6520-bb652b 126->135 127->126 136 bb64ce-bb64de call bb6167 128->136 137 bb64b0-bb64b3 128->137 140 bb64f0 129->140 130->110 131->100 131->130 142 bb652d-bb6532 135->142 143 bb6595-bb6598 135->143 146 bb64c9-bb64cc 136->146 137->123 144 bb64b9-bb64c4 call bb607e 137->144 140->146 141->135 147 bb6560 142->147 148 bb6534-bb6539 142->148 143->104 144->146 146->141 147->123 150 bb653b-bb654d 148->150 151 bb6552-bb655b call baf0a7 148->151 150->110 151->110
                                                  APIs
                                                    • Part of subcall function 00BB5AEB: GetConsoleOutputCP.KERNEL32(66377BDF,00000000,00000000,00000000), ref: 00BB5B4E
                                                  • WriteFile.KERNEL32(?,00000000,?,00BCB310,00000000,0000000C,00000000,00000000,?,00000000,00BCB310,00000010,00BAE314,00000000,00000000,00000000), ref: 00BB650A
                                                  • GetLastError.KERNEL32(?,00000000), ref: 00BB6514
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ConsoleErrorFileLastOutputWrite
                                                  • String ID:
                                                  • API String ID: 2915228174-0
                                                  • Opcode ID: 89293916037efc943629fdd13b80f7349c23033122ded800837682846ac2d808
                                                  • Instruction ID: 3e6442a36cdcc96ea178b4c549b4e88fb4227f3102b4dc6cd86a36494223fa0b
                                                  • Opcode Fuzzy Hash: 89293916037efc943629fdd13b80f7349c23033122ded800837682846ac2d808
                                                  • Instruction Fuzzy Hash: E4619EB1D04209AFDF208FA8C884AFEBBF9EF19304F1440D5E804A6256D3B9DD15CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BB5FA3 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 154 bb5fa3-bb5ff8 call ba6a20 157 bb5ffa 154->157 158 bb606d-bb607d call ba5c73 154->158 160 bb6000 157->160 162 bb6006-bb6008 160->162 163 bb600a-bb600f 162->163 164 bb6022-bb6047 WriteFile 162->164 165 bb6018-bb6020 163->165 166 bb6011-bb6017 163->166 167 bb6049-bb6054 164->167 168 bb6065-bb606b GetLastError 164->168 165->162 165->164 166->165 167->158 169 bb6056-bb6061 167->169 168->158 169->160 170 bb6063 169->170 170->158
                                                  APIs
                                                  • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,00000000,?,00BB64F0,00000000,00000000,00000000,?,0000000C,00000000), ref: 00BB603F
                                                  • GetLastError.KERNEL32(?,00BB64F0,00000000,00000000,00000000,?,0000000C,00000000,00000000,?,00000000,00BCB310,00000010,00BAE314,00000000,00000000), ref: 00BB6065
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorFileLastWrite
                                                  • String ID:
                                                  • API String ID: 442123175-0
                                                  • Opcode ID: 6a96df4ab9d3160bf0ba875e4aa4adcc04930c52ded7f45c6e5a875a94f0aa57
                                                  • Instruction ID: 6b4ae8dd99c1a2c43ef8f675d8069fb1d16ecc07392a3cab9fd103b0e3bedf60
                                                  • Opcode Fuzzy Hash: 6a96df4ab9d3160bf0ba875e4aa4adcc04930c52ded7f45c6e5a875a94f0aa57
                                                  • Instruction Fuzzy Hash: D1219134A002199FCB15DF2ADCC0AE9B7FAEB5C301F5440E9E906D7251D670DE46CB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BB42F4 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 171 bb42f4-bb42f9 172 bb42fb-bb4313 171->172 173 bb4321-bb432a 172->173 174 bb4315-bb4319 172->174 176 bb433c 173->176 177 bb432c-bb432f 173->177 174->173 175 bb431b-bb431f 174->175 178 bb4396-bb439a 175->178 181 bb433e-bb434b GetStdHandle 176->181 179 bb4338-bb433a 177->179 180 bb4331-bb4336 177->180 178->172 182 bb43a0-bb43a3 178->182 179->181 180->181 183 bb4378-bb438a 181->183 184 bb434d-bb434f 181->184 183->178 186 bb438c-bb438f 183->186 184->183 185 bb4351-bb435a GetFileType 184->185 185->183 187 bb435c-bb4365 185->187 186->178 188 bb436d-bb4370 187->188 189 bb4367-bb436b 187->189 188->178 190 bb4372-bb4376 188->190 189->178 190->178
                                                  APIs
                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00BB4340
                                                  • GetFileType.KERNELBASE(00000000), ref: 00BB4352
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileHandleType
                                                  • String ID:
                                                  • API String ID: 3000768030-0
                                                  • Opcode ID: bf23606c60f1bbdf45b68631bb599dc1870685824485981cfe10d716c50e61be
                                                  • Instruction ID: 6b811288ab22be96e33d266fc39c7465225839429069d2e2c92e9205eb4aa596
                                                  • Opcode Fuzzy Hash: bf23606c60f1bbdf45b68631bb599dc1870685824485981cfe10d716c50e61be
                                                  • Instruction Fuzzy Hash: 7411817160475147CB348A3E8C886B67AD5F756330B3D07AAE0B6875F3C7B0D886D649
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA4847 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 191 ba4847-ba4861 192 ba486a-ba4872 191->192 193 ba4863-ba4865 191->193 195 ba4896-ba489a 192->195 196 ba4874-ba487e 192->196 194 ba4941-ba494e call ba5c73 193->194 198 ba493d 195->198 199 ba48a0-ba48b1 call ba46ab 195->199 196->195 197 ba4880-ba4891 196->197 201 ba4939-ba493b 197->201 203 ba4940 198->203 206 ba48b9-ba48ed 199->206 207 ba48b3-ba48b7 199->207 201->203 203->194 214 ba48ef-ba48f2 206->214 215 ba4910-ba4918 206->215 208 ba4900 call ba3edc 207->208 211 ba4905-ba4909 208->211 211->201 212 ba490b-ba490e 211->212 212->201 214->215 218 ba48f4-ba48f8 214->218 216 ba491a-ba492b call bae39d 215->216 217 ba492d-ba4937 215->217 216->198 216->217 217->198 217->201 218->198 219 ba48fa-ba48fd 218->219 219->208
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8469b0460524071e44e5c1bbe61eac27b5c6ee48468ae67e607583b3840ff34b
                                                  • Instruction ID: 2802a779d2167d669a887120cb840c7cd65c43da69d199572c2a9cb39be5647a
                                                  • Opcode Fuzzy Hash: 8469b0460524071e44e5c1bbe61eac27b5c6ee48468ae67e607583b3840ff34b
                                                  • Instruction Fuzzy Hash: 8631853190451AAFCF14CF68D4909DFB7F9FF8A324B14029AE511A7690D771F954CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA1D5A Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • __EH_prolog3_catch.LIBCMT ref: 00BA1D61
                                                    • Part of subcall function 00BA313B: std::_Lockit::_Lockit.LIBCPMT ref: 00BA3147
                                                    • Part of subcall function 00BA313B: int.LIBCPMT ref: 00BA315A
                                                    • Part of subcall function 00BA313B: std::_Lockit::~_Lockit.LIBCPMT ref: 00BA31A3
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Lockitstd::_$H_prolog3_catchLockit::_Lockit::~_
                                                  • String ID:
                                                  • API String ID: 1693569656-0
                                                  • Opcode ID: ac8b594776bcf76c667c5688490ded15b9f987d7856b4db6c02d7de63961996c
                                                  • Instruction ID: c85441381ba7c9472c345a0a81d2134b1b13b67e1f068d5bb915730e614bdc72
                                                  • Opcode Fuzzy Hash: ac8b594776bcf76c667c5688490ded15b9f987d7856b4db6c02d7de63961996c
                                                  • Instruction Fuzzy Hash: 03218371E082459FCB05DBA8C989FEDBBF5BF49310F1481D9F505AB292DA30AD01CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BB51E9 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 243 bb51e9-bb5211 244 bb5213-bb5215 243->244 245 bb5217-bb5219 243->245 246 bb5268-bb526b 244->246 247 bb521b-bb521d 245->247 248 bb521f-bb5226 call bb511e 245->248 247->246 250 bb522b-bb522f 248->250 251 bb524e-bb5265 250->251 252 bb5231-bb523f GetProcAddress 250->252 254 bb5267 251->254 252->251 253 bb5241-bb524c call bafda1 252->253 253->254 254->246
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 64d468bf0719111c2102a6c3b0ca9149bed5285bed7ed3f0ad13d938fd875731
                                                  • Instruction ID: dc6a04ca47a77bf9a4091e7dcce59f19bbf85c73891afae3d0d790dd431cfcb8
                                                  • Opcode Fuzzy Hash: 64d468bf0719111c2102a6c3b0ca9149bed5285bed7ed3f0ad13d938fd875731
                                                  • Instruction Fuzzy Hash: A801F533715A159FAB26CE6DEC41BAB37D6EBC83207184164FA05DB154DE70D8018752
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA2479 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 257 ba2479-ba24d0 call ba2c20 call ba1104 call ba2947 263 ba24d5-ba24ee call ba5c73 257->263
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _swprintf
                                                  • String ID:
                                                  • API String ID: 589789837-0
                                                  • Opcode ID: bb5d4f8053a1c243aa476c3cb7d495b896ec10259871287b582b5993e7c76eb2
                                                  • Instruction ID: 73777ff1c2669d62b351b44273af578149cb549f42fed0cab12fb85a9fa94a77
                                                  • Opcode Fuzzy Hash: bb5d4f8053a1c243aa476c3cb7d495b896ec10259871287b582b5993e7c76eb2
                                                  • Instruction Fuzzy Hash: 2B01F773504208BFDB10EF58CC42DABB7ACFB49724F00051AFA5493151EA31E92487E2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 00BBD200 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __floor_pentium4
                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                  • API String ID: 4168288129-2761157908
                                                  • Opcode ID: b0fb2d558d6ddf7bd870ef05e577300199fb8c6f42825c7aaf678d30835f9717
                                                  • Instruction ID: 2cba4c67888d5c2ba12db1c0131167d6c54f0d384edfbb6ee8275e4907563d3b
                                                  • Opcode Fuzzy Hash: b0fb2d558d6ddf7bd870ef05e577300199fb8c6f42825c7aaf678d30835f9717
                                                  • Instruction Fuzzy Hash: 8BD22A71E082288FDB65CE28DD807EAB7F5EB54305F1445EAD44EE7240E7B8AE818F41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BBC679 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(?,2000000B,00BBC997,00000002,00000000,?,?,?,00BBC997,?,00000000), ref: 00BBC712
                                                  • GetLocaleInfoW.KERNEL32(?,20001004,00BBC997,00000002,00000000,?,?,?,00BBC997,?,00000000), ref: 00BBC73B
                                                  • GetACP.KERNEL32(?,?,00BBC997,?,00000000), ref: 00BBC750
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID: ACP$OCP
                                                  • API String ID: 2299586839-711371036
                                                  • Opcode ID: 5bd3a0f7a93bcce50102abf727a755e93a6af66d557e9cec77cee5b60455c60e
                                                  • Instruction ID: c9ec2ee41fdc306a24d275d79ad80430597702ef9f97db042c8211c483707796
                                                  • Opcode Fuzzy Hash: 5bd3a0f7a93bcce50102abf727a755e93a6af66d557e9cec77cee5b60455c60e
                                                  • Instruction Fuzzy Hash: DB216026600101A7DB34CF65C940FF77BE6EB58B60B5684A4E91BDB110EBB2DD41D790
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BBC84E Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BB3F53: GetLastError.KERNEL32(?,?,00BAF174,?,00BAC25F,?,?,00000003,00BAB46B,?,?,?,?,00000000,00BAC25F,?), ref: 00BB3F57
                                                    • Part of subcall function 00BB3F53: SetLastError.KERNEL32(00000000,00BAC25F,?,?,00000003,00BAB46B,?,?,?,?,00000000,00BAC25F,?,?,?), ref: 00BB3FF9
                                                  • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00BBC95A
                                                  • IsValidCodePage.KERNEL32(00000000), ref: 00BBC9A3
                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00BBC9B2
                                                  • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00BBC9FA
                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00BBCA19
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                  • String ID:
                                                  • API String ID: 415426439-0
                                                  • Opcode ID: 5bbad4e7afb166313b2db7b7a06735d310eae07c1d57f3043b18c9d76235a062
                                                  • Instruction ID: 84add96da9c7ceaaa8a83678231b33693545e3e38adea65b50aa63aaa248efe2
                                                  • Opcode Fuzzy Hash: 5bbad4e7afb166313b2db7b7a06735d310eae07c1d57f3043b18c9d76235a062
                                                  • Instruction Fuzzy Hash: AE517F72A00205ABEF11DFA5CC41EFE7BF8EF49700F1444A9E995E7191EBB09A408B61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BBBEEA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BB3F53: GetLastError.KERNEL32(?,?,00BAF174,?,00BAC25F,?,?,00000003,00BAB46B,?,?,?,?,00000000,00BAC25F,?), ref: 00BB3F57
                                                    • Part of subcall function 00BB3F53: SetLastError.KERNEL32(00000000,00BAC25F,?,?,00000003,00BAB46B,?,?,?,?,00000000,00BAC25F,?,?,?), ref: 00BB3FF9
                                                  • GetACP.KERNEL32(?,?,?,?,?,?,00BB0FD3,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00BBBFAB
                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00BB0FD3,?,?,?,00000055,?,-00000050,?,?), ref: 00BBBFD6
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00BBC139
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$CodeInfoLocalePageValid
                                                  • String ID: utf8
                                                  • API String ID: 607553120-905460609
                                                  • Opcode ID: 3aa8e1de55b4626c73752829bb7623e02ae132e0c36b5dba35e2fbf722d5e707
                                                  • Instruction ID: 052042160da1ba1e6a3d8480a448bc5ce21ed7b44362049e75bcef40a0a263b7
                                                  • Opcode Fuzzy Hash: 3aa8e1de55b4626c73752829bb7623e02ae132e0c36b5dba35e2fbf722d5e707
                                                  • Instruction Fuzzy Hash: 89719F71640606ABDB24EB75CC86FFA77E8EF45710F1444AAFA05E7181EBF0E94087A1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BB2DD2 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _strrchr
                                                  • String ID:
                                                  • API String ID: 3213747228-0
                                                  • Opcode ID: 0a5fbe819e4ab1e77cef03ab8bd2c26e6f29305eab88940d16d3be36f103b94c
                                                  • Instruction ID: d2fc9adae098115a34711e85b58b505aa0c50b192647441dd1768be7b8a92d56
                                                  • Opcode Fuzzy Hash: 0a5fbe819e4ab1e77cef03ab8bd2c26e6f29305eab88940d16d3be36f103b94c
                                                  • Instruction Fuzzy Hash: 6EB136329042459FDB15DF68C881BFEBBF5EF59350F1581EAE805AB241D2B5DE01CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA6798 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00BA67A4
                                                  • IsDebuggerPresent.KERNEL32 ref: 00BA6870
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BA6889
                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 00BA6893
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                  • String ID:
                                                  • API String ID: 254469556-0
                                                  • Opcode ID: d21adae83f49f5d8c503e025a45025f53f45e11e0e2539d7d82d571e09e9af11
                                                  • Instruction ID: 308ea1c41b8b7075c5428692d0277301c86d03a0ae730b91f1e009d5f3d45ad5
                                                  • Opcode Fuzzy Hash: d21adae83f49f5d8c503e025a45025f53f45e11e0e2539d7d82d571e09e9af11
                                                  • Instruction Fuzzy Hash: 6231E5B5D092199BDF20DFA4D949BCDBBF8AF08304F1041EAE40DAB250EB759A85CF45
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BBC2FD Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BB3F53: GetLastError.KERNEL32(?,?,00BAF174,?,00BAC25F,?,?,00000003,00BAB46B,?,?,?,?,00000000,00BAC25F,?), ref: 00BB3F57
                                                    • Part of subcall function 00BB3F53: SetLastError.KERNEL32(00000000,00BAC25F,?,?,00000003,00BAB46B,?,?,?,?,00000000,00BAC25F,?,?,?), ref: 00BB3FF9
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00BBC351
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00BBC39B
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00BBC461
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale$ErrorLast
                                                  • String ID:
                                                  • API String ID: 661929714-0
                                                  • Opcode ID: b9f6b09efb88fec58215f43cc4beec2598cadf418287b50db2fdb3f01489a595
                                                  • Instruction ID: 2f9f9bac103498c5f8b30d42058c4e55ef1dc3a2a36b360407441e7e72e75cf5
                                                  • Opcode Fuzzy Hash: b9f6b09efb88fec58215f43cc4beec2598cadf418287b50db2fdb3f01489a595
                                                  • Instruction Fuzzy Hash: FB6160719005179FDB28DF24CC92BFA7BE8EF54310F1041BAE906C6685EBB4EA85DB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BACDCF Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00BACEC7
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00BACED1
                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00BACEDE
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                  • String ID:
                                                  • API String ID: 3906539128-0
                                                  • Opcode ID: dbe2c828c30b33fba50c52fe815c43d77db9843ab7f0a01b7d135182e8b2b3bc
                                                  • Instruction ID: 62843261e25be6298bed73c9b026970efda8f885d0da0c4634cf3d1a23ecc211
                                                  • Opcode Fuzzy Hash: dbe2c828c30b33fba50c52fe815c43d77db9843ab7f0a01b7d135182e8b2b3bc
                                                  • Instruction Fuzzy Hash: 1431A4759052199BCB21DF64DD89B8DBBF8FF08310F5041EAE41CA7260EB749B858F44
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BAF1C0 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 18014d3bc7e328d1a784cb4e9c3b3e4733de8ca481f64099e5cb8d8dc1847e8c
                                                  • Instruction ID: 9c06864dd42ae41202a2c17dce1ba4878d496d1083b714039633f707627d3cbd
                                                  • Opcode Fuzzy Hash: 18014d3bc7e328d1a784cb4e9c3b3e4733de8ca481f64099e5cb8d8dc1847e8c
                                                  • Instruction Fuzzy Hash: 01F11D71E0421A9FDF14CFA9D880AEDB7F1EF89314F1582A9E815AB391D730AD05CB94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BB4902 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00BB48FD,?,?,00000008,?,?,00BC1115,00000000), ref: 00BB4B2F
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionRaise
                                                  • String ID:
                                                  • API String ID: 3997070919-0
                                                  • Opcode ID: edea73cecc5533ea6a7e11bb37b9576f87712634bd1045edf5dcf75257638695
                                                  • Instruction ID: eb6c2eda799324870ef2c257efec2a28f65a5b9b4b10ce8a22cdbd69d16db905
                                                  • Opcode Fuzzy Hash: edea73cecc5533ea6a7e11bb37b9576f87712634bd1045edf5dcf75257638695
                                                  • Instruction Fuzzy Hash: BFB14C31210605DFDB24CF28C486BA57BE0FF45365F258698E9D9CF2A2C375E982CB44
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA627C Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00BA6292
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FeaturePresentProcessor
                                                  • String ID:
                                                  • API String ID: 2325560087-0
                                                  • Opcode ID: cfe8b7d422e142d56ec0be3b350673e984bcbd6c5e1d35d7605adcbc438c8917
                                                  • Instruction ID: ffba2212549f7d08407b8e931d917c8268c28ea00a4fe326212c1657d8e17ef0
                                                  • Opcode Fuzzy Hash: cfe8b7d422e142d56ec0be3b350673e984bcbd6c5e1d35d7605adcbc438c8917
                                                  • Instruction Fuzzy Hash: E6518BB1A05205CBEB18CF68D8967AEBBF0FB4C314F1884AAC455EB350DB759941CB94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BB9336 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 953f6e81ffa02ce1e18f978e05ad4341b7e0f38641eecfd8fa55b3e6d3c74b2e
                                                  • Instruction ID: 8e4eb7568aec50535fd7767c3e2ddd0c8ad24c18ee46081ca45788082ebfab9c
                                                  • Opcode Fuzzy Hash: 953f6e81ffa02ce1e18f978e05ad4341b7e0f38641eecfd8fa55b3e6d3c74b2e
                                                  • Instruction Fuzzy Hash: 6D41ADB5804219AFDB20DF69CC89AFABBF9EF45304F1442D9E40DE3241DA759E858F60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BAB922 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: 82cad758b35342542f9aa7c6bd48d34997fb9bb3bf9c1d63f78d45a4854180be
                                                  • Instruction ID: 6eae33c5e314266c8fa78d850e3ae4951fc69e3431a3c78aa5d916a1adedfbfb
                                                  • Opcode Fuzzy Hash: 82cad758b35342542f9aa7c6bd48d34997fb9bb3bf9c1d63f78d45a4854180be
                                                  • Instruction Fuzzy Hash: FCC1EF7060864A8FCB28CF68C490EBEBBE1EF07310F544699D5B69B293DB31AD45CB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BBC550 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BB3F53: GetLastError.KERNEL32(?,?,00BAF174,?,00BAC25F,?,?,00000003,00BAB46B,?,?,?,?,00000000,00BAC25F,?), ref: 00BB3F57
                                                    • Part of subcall function 00BB3F53: SetLastError.KERNEL32(00000000,00BAC25F,?,?,00000003,00BAB46B,?,?,?,?,00000000,00BAC25F,?,?,?), ref: 00BB3FF9
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00BBC5A4
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$InfoLocale
                                                  • String ID:
                                                  • API String ID: 3736152602-0
                                                  • Opcode ID: fafeed747aa20aa36829297ed1019872dc54b27ef172f8eabdcccc15ab749a0f
                                                  • Instruction ID: 71823dfc04273b8a244896f86db91286e4553d32907b51971bf7c17d22717349
                                                  • Opcode Fuzzy Hash: fafeed747aa20aa36829297ed1019872dc54b27ef172f8eabdcccc15ab749a0f
                                                  • Instruction Fuzzy Hash: 5C218332614206ABDB28DB15DC82EFA7BE8EF54714B1050BAF906D7141EBB4ED40CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BBC1D7 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BB3F53: GetLastError.KERNEL32(?,?,00BAF174,?,00BAC25F,?,?,00000003,00BAB46B,?,?,?,?,00000000,00BAC25F,?), ref: 00BB3F57
                                                    • Part of subcall function 00BB3F53: SetLastError.KERNEL32(00000000,00BAC25F,?,?,00000003,00BAB46B,?,?,?,?,00000000,00BAC25F,?,?,?), ref: 00BB3FF9
                                                  • EnumSystemLocalesW.KERNEL32(00BBC2FD,00000001,00000000,?,-00000050,?,00BBC92E,00000000,?,?,?,00000055,?), ref: 00BBC249
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                  • String ID:
                                                  • API String ID: 2417226690-0
                                                  • Opcode ID: 18d6c9e143bd4a6b66e12fd518c516da9392cd5d7abed4427ef358585a324ff5
                                                  • Instruction ID: 9e4e22b7225ac3bd45e1c6cb6d99708c10b9fdb2fbf07a43d33a6db689c6e748
                                                  • Opcode Fuzzy Hash: 18d6c9e143bd4a6b66e12fd518c516da9392cd5d7abed4427ef358585a324ff5
                                                  • Instruction Fuzzy Hash: E81125366043059FDB18DF78C8916BABBD1FF80768B14846DE98797A40D3B1A942C740
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BBC77F Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BB3F53: GetLastError.KERNEL32(?,?,00BAF174,?,00BAC25F,?,?,00000003,00BAB46B,?,?,?,?,00000000,00BAC25F,?), ref: 00BB3F57
                                                    • Part of subcall function 00BB3F53: SetLastError.KERNEL32(00000000,00BAC25F,?,?,00000003,00BAB46B,?,?,?,?,00000000,00BAC25F,?,?,?), ref: 00BB3FF9
                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00BBC519,00000000,00000000,?), ref: 00BBC7AB
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$InfoLocale
                                                  • String ID:
                                                  • API String ID: 3736152602-0
                                                  • Opcode ID: da4a9a568e6ef56804d6bb35e88e84dbb627d6243aa0d88b11ac859558654a8d
                                                  • Instruction ID: 8e76cda61417fe6c7bb98065620e39579a17126692a679142f9e258679cf4a90
                                                  • Opcode Fuzzy Hash: da4a9a568e6ef56804d6bb35e88e84dbb627d6243aa0d88b11ac859558654a8d
                                                  • Instruction Fuzzy Hash: A3F086379001126BDB249B658C45BFA7BE8EB40754F1544A5EC56E3180DFB4FE41C991
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BBC272 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BB3F53: GetLastError.KERNEL32(?,?,00BAF174,?,00BAC25F,?,?,00000003,00BAB46B,?,?,?,?,00000000,00BAC25F,?), ref: 00BB3F57
                                                    • Part of subcall function 00BB3F53: SetLastError.KERNEL32(00000000,00BAC25F,?,?,00000003,00BAB46B,?,?,?,?,00000000,00BAC25F,?,?,?), ref: 00BB3FF9
                                                  • EnumSystemLocalesW.KERNEL32(00BBC550,00000001,?,?,-00000050,?,00BBC8F2,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00BBC2BC
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                  • String ID:
                                                  • API String ID: 2417226690-0
                                                  • Opcode ID: d90c295b1c7fb12f9009ab884ed0b8c0646367bbe9ad2929b1011fce4fcfc5fa
                                                  • Instruction ID: 8f990a27824d56646ecfd7c055197a92da21bdc0ca9769afafb270c720c26078
                                                  • Opcode Fuzzy Hash: d90c295b1c7fb12f9009ab884ed0b8c0646367bbe9ad2929b1011fce4fcfc5fa
                                                  • Instruction Fuzzy Hash: 77F096362003045FDB249F79DC81ABA7FD5EF80768B1584AEF94A4B690D6F1AC42C650
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BB4F55 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BAD06D: EnterCriticalSection.KERNEL32(?,?,00BB3C2B,?,00BCB1D0,00000008,00BB3DEF,?,00BAB276,?), ref: 00BAD07C
                                                  • EnumSystemLocalesW.KERNEL32(00BB4F48,00000001,00BCB290,0000000C,00BB5377,00000000), ref: 00BB4F8D
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                  • String ID:
                                                  • API String ID: 1272433827-0
                                                  • Opcode ID: 3c657a3b7503daaf10ee6569bd963fa00e5b022ed8439729223042172ad32d86
                                                  • Instruction ID: aed50cacd39c16fe98cf4a7eb496662471c6a3e9e536cce40f0650542af27ed4
                                                  • Opcode Fuzzy Hash: 3c657a3b7503daaf10ee6569bd963fa00e5b022ed8439729223042172ad32d86
                                                  • Instruction Fuzzy Hash: DFF04976A04204DFD710EF98E842BAD7BF0FB49B21F1081AAF415DB6A1CBB94944CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BBC18C Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BB3F53: GetLastError.KERNEL32(?,?,00BAF174,?,00BAC25F,?,?,00000003,00BAB46B,?,?,?,?,00000000,00BAC25F,?), ref: 00BB3F57
                                                    • Part of subcall function 00BB3F53: SetLastError.KERNEL32(00000000,00BAC25F,?,?,00000003,00BAB46B,?,?,?,?,00000000,00BAC25F,?,?,?), ref: 00BB3FF9
                                                  • EnumSystemLocalesW.KERNEL32(00BBC0E5,00000001,?,?,?,00BBC950,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00BBC1C3
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                  • String ID:
                                                  • API String ID: 2417226690-0
                                                  • Opcode ID: 36cfd69624efbbd728666e8bd60e864873f565f1d93eda76a538a604c60b417f
                                                  • Instruction ID: 5ecb8ed8129e00c5352d4677f70dba90d764709d64e11f202bdb076a11edd0cb
                                                  • Opcode Fuzzy Hash: 36cfd69624efbbd728666e8bd60e864873f565f1d93eda76a538a604c60b417f
                                                  • Instruction Fuzzy Hash: F5F0E53674020597CB04EF39DC45BBABFE4EFC1750B46809AFE0A9B251C6F29942C790
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BB547B Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00BB1B39,?,20001004,00000000,00000002,?,?,00BB113B), ref: 00BB54AF
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID:
                                                  • API String ID: 2299586839-0
                                                  • Opcode ID: 108b1eea3dd6d7286c2d9e9e0cab5fdf163c9ab71ddbda3259c04cd066e5a26e
                                                  • Instruction ID: 89007dd936756ff030aca732fdf7c3526ceec7453e1ff89818eff35695abd033
                                                  • Opcode Fuzzy Hash: 108b1eea3dd6d7286c2d9e9e0cab5fdf163c9ab71ddbda3259c04cd066e5a26e
                                                  • Instruction Fuzzy Hash: 1BE04F31500A18BBCF222F61DC08FFE7F96EF44761F048051FD0566221DBB18961EAD6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA68F4 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00006900,00BA5D9F), ref: 00BA68F9
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: b06c3a325e8f961572f27a37968799a5cb2bebe74625d61587059df2dd93b6de
                                                  • Instruction ID: 08496f2f3ef2aeb66ee76e4d837d7e6e12e62055ed8106247382c4334e306b91
                                                  • Opcode Fuzzy Hash: b06c3a325e8f961572f27a37968799a5cb2bebe74625d61587059df2dd93b6de
                                                  • Instruction Fuzzy Hash:
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BBCAB0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: HeapProcess
                                                  • String ID:
                                                  • API String ID: 54951025-0
                                                  • Opcode ID: 1712c9404cd946273b18b9025e23cb97cc39bf06a498f492aee153d7345ee47f
                                                  • Instruction ID: 600d44b8a92ccbedba55d113f975f53cdbd9e7408fa2c26a16446bd06de4ea77
                                                  • Opcode Fuzzy Hash: 1712c9404cd946273b18b9025e23cb97cc39bf06a498f492aee153d7345ee47f
                                                  • Instruction Fuzzy Hash: 9AA001B06052018B97408F36AE59B0D7BAAAA49A91B0A80A9A545D61A0EE648494AF01
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BBB99B Relevance: .3, Instructions: 327COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
                                                  • String ID:
                                                  • API String ID: 3471368781-0
                                                  • Opcode ID: 5bdad192e5ccef97fe725fc1157eed4bad236ef913b6cd29063d5434c32cb755
                                                  • Instruction ID: 6a5f81627c08ddf7c53cd418e63a65a3b52be2b5513c189f86e56b7dd96313d5
                                                  • Opcode Fuzzy Hash: 5bdad192e5ccef97fe725fc1157eed4bad236ef913b6cd29063d5434c32cb755
                                                  • Instruction Fuzzy Hash: 36B1C0355007059BDB38DB28CC92EF7B7E9EF44308F5448ADEA8686584EBF5E985CB10
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA93F8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • type_info::operator==.LIBVCRUNTIME ref: 00BA9517
                                                  • ___TypeMatch.LIBVCRUNTIME ref: 00BA9625
                                                  • _UnwindNestedFrames.LIBCMT ref: 00BA9777
                                                  • CallUnexpected.LIBVCRUNTIME ref: 00BA9792
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                  • String ID: csm$csm$csm
                                                  • API String ID: 2751267872-393685449
                                                  • Opcode ID: 835f7242161eb4cfb455d83a87196b2c26043f5b49b9882fc6e37f8b73e009e4
                                                  • Instruction ID: 5538b71095e755d0a3f1dd50a6b7e645cfeac66e87a9d87e65af5b063727fbd4
                                                  • Opcode Fuzzy Hash: 835f7242161eb4cfb455d83a87196b2c26043f5b49b9882fc6e37f8b73e009e4
                                                  • Instruction Fuzzy Hash: 97B15971808219EFCF29DFA4C8819AEBBF5EF16310F15419AE8116B212D731DE51EBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BB7599 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID: 0-3907804496
                                                  • Opcode ID: e48091b2afd43caf37942beea0335844a48bf2a98478d99afb147feb7d935675
                                                  • Instruction ID: 37e4805f29752e8327f191dda2ff9a8812e1370b5ff6fcdef985c5b3648a5185
                                                  • Opcode Fuzzy Hash: e48091b2afd43caf37942beea0335844a48bf2a98478d99afb147feb7d935675
                                                  • Instruction Fuzzy Hash: 87B1A174A48249AFDB11DF9AC880BFDBBF5EF89300F144199E4459B292CFB19D42CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BBFFDA Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCPInfo.KERNEL32(011E4DE0,011E4DE0,?,7FFFFFFF,?,00BC02AA,011E4DE0,011E4DE0,?,011E4DE0,?,?,?,?,011E4DE0,?), ref: 00BC0080
                                                  • __alloca_probe_16.LIBCMT ref: 00BC013B
                                                  • __alloca_probe_16.LIBCMT ref: 00BC01CA
                                                  • __freea.LIBCMT ref: 00BC0215
                                                  • __freea.LIBCMT ref: 00BC021B
                                                  • __freea.LIBCMT ref: 00BC0251
                                                  • __freea.LIBCMT ref: 00BC0257
                                                  • __freea.LIBCMT ref: 00BC0267
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __freea$__alloca_probe_16$Info
                                                  • String ID:
                                                  • API String ID: 127012223-0
                                                  • Opcode ID: e4ff50703100888cd3cf9a21426847b6e0f5f7a08a0597fbd528df3e5ce63d5e
                                                  • Instruction ID: d171c0442045080a7ea8e2bcf7fe8093829a7840c567577e3e64fc52f8d8f561
                                                  • Opcode Fuzzy Hash: e4ff50703100888cd3cf9a21426847b6e0f5f7a08a0597fbd528df3e5ce63d5e
                                                  • Instruction Fuzzy Hash: 5771D372914209EBDF31AF948C86FEE7BE9DF49710F2900DDE944AB282DB758D408761
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA5A89 Relevance: 12.2, APIs: 8, Instructions: 175COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00BA5AD2
                                                  • __alloca_probe_16.LIBCMT ref: 00BA5AFE
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00BA5B3D
                                                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BA5B5A
                                                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00BA5B99
                                                  • __alloca_probe_16.LIBCMT ref: 00BA5BB6
                                                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BA5BF8
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00BA5C1B
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                  • String ID:
                                                  • API String ID: 2040435927-0
                                                  • Opcode ID: c7f4282d3d5f8b1f9ceb47e3aa04c87b42b78c997cafaf99ff43d3e25b479a22
                                                  • Instruction ID: 5c53822ce43f7130c510431c6f932a98659b7521f0f3da33a936ad4fdf617a95
                                                  • Opcode Fuzzy Hash: c7f4282d3d5f8b1f9ceb47e3aa04c87b42b78c997cafaf99ff43d3e25b479a22
                                                  • Instruction Fuzzy Hash: 1251DFB260860AABDB309F64CC45FAB7BF9EF46760F1440A5F915E6154E734CE00CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA3EF6 Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog3.LIBCMT ref: 00BA3EFD
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00BA3F07
                                                  • int.LIBCPMT ref: 00BA3F1E
                                                    • Part of subcall function 00BA165A: std::_Lockit::_Lockit.LIBCPMT ref: 00BA166B
                                                    • Part of subcall function 00BA165A: std::_Lockit::~_Lockit.LIBCPMT ref: 00BA1685
                                                  • codecvt.LIBCPMT ref: 00BA3F41
                                                  • std::_Facet_Register.LIBCPMT ref: 00BA3F58
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00BA3F78
                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00BA3F85
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                  • String ID:
                                                  • API String ID: 2133458128-0
                                                  • Opcode ID: da0890da82b980d113de953d62c3ae6d1cfd3edd926077ad88ad7160254439d2
                                                  • Instruction ID: 61eb9af96c9e24ccf84042c3b5ebf141db22d839c4fc88bd2963d7529350e441
                                                  • Opcode Fuzzy Hash: da0890da82b980d113de953d62c3ae6d1cfd3edd926077ad88ad7160254439d2
                                                  • Instruction Fuzzy Hash: 6411B1719186159FCB05EFA8D8016AEBBF4EF46720F14059DF415A7382DF70AE01CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA908A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,00BA9081,00BA73F2,00BA6944), ref: 00BA9098
                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BA90A6
                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BA90BF
                                                  • SetLastError.KERNEL32(00000000,00BA9081,00BA73F2,00BA6944), ref: 00BA9111
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastValue___vcrt_
                                                  • String ID:
                                                  • API String ID: 3852720340-0
                                                  • Opcode ID: 7715df194b133700e4ca5ce0bf8c73066ded9318f62916b55b35edc97d82de66
                                                  • Instruction ID: 84bf3fbc863b42868886945ae8bc94bc9dc8b30e7c16e454e3039c1774b2369e
                                                  • Opcode Fuzzy Hash: 7715df194b133700e4ca5ce0bf8c73066ded9318f62916b55b35edc97d82de66
                                                  • Instruction Fuzzy Hash: 9701D47260C312AEBA2427746C8AB5B2BC6EB1777832002ABF514970E1EF624C11E169
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BB06B6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,66377BDF,?,?,00000000,00BC1BE7,000000FF,?,00BB0646,00BB0776,?,00BB061A,00000000), ref: 00BB06EB
                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BB06FD
                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,00BC1BE7,000000FF,?,00BB0646,00BB0776,?,00BB061A,00000000), ref: 00BB071F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-1276376045
                                                  • Opcode ID: dc8a83381bff61ede5ecd3864524f21acf009c2f8bb61f245300f51a3c4d9c28
                                                  • Instruction ID: 454037e62d1c90d759c525b9379a4ae18e5cec3aead9d7d667d690256cf396b6
                                                  • Opcode Fuzzy Hash: dc8a83381bff61ede5ecd3864524f21acf009c2f8bb61f245300f51a3c4d9c28
                                                  • Instruction Fuzzy Hash: B8014431914619EFDB119F54CC09FBFBBF8FB08754F040569E811A32A0DFB49900CA90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BB8644 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __alloca_probe_16.LIBCMT ref: 00BB86CB
                                                  • __alloca_probe_16.LIBCMT ref: 00BB878C
                                                  • __freea.LIBCMT ref: 00BB87F3
                                                    • Part of subcall function 00BB2BC3: HeapAlloc.KERNEL32(00000000,00BB9BE6,45890008,?,00BB9BE6,00000220,?,00BAC25F,45890008), ref: 00BB2BF5
                                                  • __freea.LIBCMT ref: 00BB8808
                                                  • __freea.LIBCMT ref: 00BB8818
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __freea$__alloca_probe_16$AllocHeap
                                                  • String ID:
                                                  • API String ID: 1096550386-0
                                                  • Opcode ID: ae1304b653290e8c874c1a1b2449139b4f1c968fc03b88aef41a21726c094885
                                                  • Instruction ID: aa55a3ac450afcbac8f8304ac6755f951d04416a250b56d28bb42f4675006bc6
                                                  • Opcode Fuzzy Hash: ae1304b653290e8c874c1a1b2449139b4f1c968fc03b88aef41a21726c094885
                                                  • Instruction Fuzzy Hash: D2517F7260020AAFEB219E65CC85EFB3BEDEB44354B6505A9FD19D6150EFB1CC10C7A0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA313B Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00BA3147
                                                  • int.LIBCPMT ref: 00BA315A
                                                    • Part of subcall function 00BA165A: std::_Lockit::_Lockit.LIBCPMT ref: 00BA166B
                                                    • Part of subcall function 00BA165A: std::_Lockit::~_Lockit.LIBCPMT ref: 00BA1685
                                                  • std::_Facet_Register.LIBCPMT ref: 00BA318D
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00BA31A3
                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00BA31AE
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                  • String ID:
                                                  • API String ID: 2081738530-0
                                                  • Opcode ID: 01f8f34723e87342a297ee45976ab3d42886648bc720410cd36eef1c62345876
                                                  • Instruction ID: 719e870a8cf5eab70676c8d96a10f631a8f6d092f3b622a154cd23a2b621aa0d
                                                  • Opcode Fuzzy Hash: 01f8f34723e87342a297ee45976ab3d42886648bc720410cd36eef1c62345876
                                                  • Instruction Fuzzy Hash: 1601A772908614BFCB14AB58DC1599E7BE8DF82B60F1441D5F511AB290EF309F05C790
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA35F8 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00BA3604
                                                  • int.LIBCPMT ref: 00BA3617
                                                    • Part of subcall function 00BA165A: std::_Lockit::_Lockit.LIBCPMT ref: 00BA166B
                                                    • Part of subcall function 00BA165A: std::_Lockit::~_Lockit.LIBCPMT ref: 00BA1685
                                                  • std::_Facet_Register.LIBCPMT ref: 00BA364A
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00BA3660
                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00BA366B
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                  • String ID:
                                                  • API String ID: 2081738530-0
                                                  • Opcode ID: 3aa5e4aea0939fa0863f3b152576a18a39924d1f9665b3ee914ebc75d5a03f4b
                                                  • Instruction ID: 1854335a241f5dce10a7eec3506cba4801dc0af363e6f0001427d59627e1ef76
                                                  • Opcode Fuzzy Hash: 3aa5e4aea0939fa0863f3b152576a18a39924d1f9665b3ee914ebc75d5a03f4b
                                                  • Instruction Fuzzy Hash: 1001847290C618BBCB14AB5CDC4599E77E8DF42B60F2445D5F91297291EF309F45C780
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA5327 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog3.LIBCMT ref: 00BA532E
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00BA5339
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00BA53A7
                                                    • Part of subcall function 00BA548A: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00BA54A2
                                                  • std::locale::_Setgloballocale.LIBCPMT ref: 00BA5354
                                                  • _Yarn.LIBCPMT ref: 00BA536A
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                  • String ID:
                                                  • API String ID: 1088826258-0
                                                  • Opcode ID: 4533e50be918e901ba6d9f26deb4e7457206a6f0a082176903a2bc999ed1b4b3
                                                  • Instruction ID: 589126677cd59a49d3221f30caad3d5defc4853a95ba6bd0b6ed2d249ffc97f7
                                                  • Opcode Fuzzy Hash: 4533e50be918e901ba6d9f26deb4e7457206a6f0a082176903a2bc999ed1b4b3
                                                  • Instruction Fuzzy Hash: 7D01BC71A08A119BCB09EB60D841A7C7BE1EFCA390B19008DE91267391DF346E42CB84
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BAA1D2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00BAA183,00000000,?,00C0847C,?,?,?,00BAA326,00000004,InitializeCriticalSectionEx,00BC3BD0,InitializeCriticalSectionEx), ref: 00BAA1DF
                                                  • GetLastError.KERNEL32(?,00BAA183,00000000,?,00C0847C,?,?,?,00BAA326,00000004,InitializeCriticalSectionEx,00BC3BD0,InitializeCriticalSectionEx,00000000,?,00BAA0DD), ref: 00BAA1E9
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00BAA211
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LibraryLoad$ErrorLast
                                                  • String ID: api-ms-
                                                  • API String ID: 3177248105-2084034818
                                                  • Opcode ID: 65c9a7350e7d3d24efde0dde4f553f8054e47730deae0493480eb0609a0c10cb
                                                  • Instruction ID: a73d66340f19aca29b18f70f08282e71523912ebd0868f484274ab12e7f421ac
                                                  • Opcode Fuzzy Hash: 65c9a7350e7d3d24efde0dde4f553f8054e47730deae0493480eb0609a0c10cb
                                                  • Instruction Fuzzy Hash: 8EE01A302C4308FBEE201B61EC06F593E94EB11B44F504062F90CA80A1DBA29960C6A5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BB5AEB Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetConsoleOutputCP.KERNEL32(66377BDF,00000000,00000000,00000000), ref: 00BB5B4E
                                                    • Part of subcall function 00BB8CD7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00BB87E9,?,00000000,-00000008), ref: 00BB8D83
                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00BB5DA9
                                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00BB5DF1
                                                  • GetLastError.KERNEL32 ref: 00BB5E94
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                  • String ID:
                                                  • API String ID: 2112829910-0
                                                  • Opcode ID: 63ddcaaf65efd54be75fa65580fdc94f26560febed242cceb9a006b8cf472377
                                                  • Instruction ID: 0c2a64aa1318232fa5e3bb6a835519b77a70eba77e06224a432a1013ed6e2958
                                                  • Opcode Fuzzy Hash: 63ddcaaf65efd54be75fa65580fdc94f26560febed242cceb9a006b8cf472377
                                                  • Instruction Fuzzy Hash: 56D16975D006489FCF25CFA8D880AEDBBF5FF09300F1885AAE865EB251E770A941CB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA91A1 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AdjustPointer
                                                  • String ID:
                                                  • API String ID: 1740715915-0
                                                  • Opcode ID: 103b79e3f7f990de047a049e032a75fd037c0787b1a3ba07bd253d00db01ac9d
                                                  • Instruction ID: f564fe7ef345ef22247f82b5665b5208744b41fb82ef50d30404e04eb089f71d
                                                  • Opcode Fuzzy Hash: 103b79e3f7f990de047a049e032a75fd037c0787b1a3ba07bd253d00db01ac9d
                                                  • Instruction Fuzzy Hash: 3451F27660D306BFEB288F54C880B7A73F4EF46710F1480ADE81657691EB31AC44EB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BB90F3 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BB8CD7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00BB87E9,?,00000000,-00000008), ref: 00BB8D83
                                                  • GetLastError.KERNEL32 ref: 00BB9157
                                                  • __dosmaperr.LIBCMT ref: 00BB915E
                                                  • GetLastError.KERNEL32(?,?,?,?), ref: 00BB9198
                                                  • __dosmaperr.LIBCMT ref: 00BB919F
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                  • String ID:
                                                  • API String ID: 1913693674-0
                                                  • Opcode ID: af67d3795018a63b9fe026d680d1670e850f01b01e4180ea9179c335914079c6
                                                  • Instruction ID: de457ac577765de0abca811cea439c6402cd972e7ad5723d749497842fc78041
                                                  • Opcode Fuzzy Hash: af67d3795018a63b9fe026d680d1670e850f01b01e4180ea9179c335914079c6
                                                  • Instruction Fuzzy Hash: F421B671604207BFDB20AF698C859FBB7E9EF4536471085A9FA19A7141D7B1EC00EBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BAF726 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a4f4839e284dd07d2d04bcb8f850fe023aeccec6f4c93c081db21d646aa074bb
                                                  • Instruction ID: 6085a4232bce828d63d285f45fd8f33a96def8a7996a36022150c8ea5c13fac8
                                                  • Opcode Fuzzy Hash: a4f4839e284dd07d2d04bcb8f850fe023aeccec6f4c93c081db21d646aa074bb
                                                  • Instruction Fuzzy Hash: 4E218E35608207AF9B20AFE1D8808FAB7EAEF0636471045B6F915D7141EB30EC00C761
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BBA089 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetEnvironmentStringsW.KERNEL32 ref: 00BBA091
                                                    • Part of subcall function 00BB8CD7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00BB87E9,?,00000000,-00000008), ref: 00BB8D83
                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BBA0C9
                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BBA0E9
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                  • String ID:
                                                  • API String ID: 158306478-0
                                                  • Opcode ID: 27053b1241ca32a6b8f79e169be28a101e66be722dcd88708baeab895bb44c6d
                                                  • Instruction ID: c3e61f0c5a2b23f6aa9dd07779a80278ec78f8b858090d0317c6f21530896654
                                                  • Opcode Fuzzy Hash: 27053b1241ca32a6b8f79e169be28a101e66be722dcd88708baeab895bb44c6d
                                                  • Instruction Fuzzy Hash: BF11C4B29056167F6A212B759CCACFF6EDCDE4E3A5B1400A4F605E2101FEF4CD0085B2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BBFD66 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,00BBEB0C,00000000,00000001,00000000,00000000,?,00BB5EE8,00000000,00000000,00000000), ref: 00BBFD7D
                                                  • GetLastError.KERNEL32(?,00BBEB0C,00000000,00000001,00000000,00000000,?,00BB5EE8,00000000,00000000,00000000,00000000,00000000,?,00BB646F,00000000), ref: 00BBFD89
                                                    • Part of subcall function 00BBFD4F: CloseHandle.KERNEL32(FFFFFFFE,00BBFD99,?,00BBEB0C,00000000,00000001,00000000,00000000,?,00BB5EE8,00000000,00000000,00000000,00000000,00000000), ref: 00BBFD5F
                                                  • ___initconout.LIBCMT ref: 00BBFD99
                                                    • Part of subcall function 00BBFD11: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00BBFD40,00BBEAF9,00000000,?,00BB5EE8,00000000,00000000,00000000,00000000), ref: 00BBFD24
                                                  • WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,00BBEB0C,00000000,00000001,00000000,00000000,?,00BB5EE8,00000000,00000000,00000000,00000000), ref: 00BBFDAE
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                  • String ID:
                                                  • API String ID: 2744216297-0
                                                  • Opcode ID: 7d8abe060195a50e1bd9c9b488c293dbfb9d34caf0ada92c7708480a5145ee9b
                                                  • Instruction ID: 3b1d9af610319b2d2290626cb57c4310a75b6dc684d8ac863dcfac220b968357
                                                  • Opcode Fuzzy Hash: 7d8abe060195a50e1bd9c9b488c293dbfb9d34caf0ada92c7708480a5145ee9b
                                                  • Instruction Fuzzy Hash: D3F0AC3750012ABBCF226F96DC09DEA3F66FB093A1B044060FA1D96131CA728920DB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA8E90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00BA8ECF
                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00BA8F83
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CurrentImageNonwritable___except_validate_context_record
                                                  • String ID: csm
                                                  • API String ID: 3480331319-1018135373
                                                  • Opcode ID: 9a23ec63f3d780d73e890f329675fb67d1cefe7d91b06e60ced73de4088560f5
                                                  • Instruction ID: 1a3aa7b15c02cc9da285b62099e23955fc35c3bb52f24016e6829e44f5f09b7e
                                                  • Opcode Fuzzy Hash: 9a23ec63f3d780d73e890f329675fb67d1cefe7d91b06e60ced73de4088560f5
                                                  • Instruction Fuzzy Hash: B8417434A04209DFCF10DF68C885A9EBBE6EF46314F1485D5F818AB792DB32DA15CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA979D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • EncodePointer.KERNEL32(00000000,?), ref: 00BA97C2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: EncodePointer
                                                  • String ID: MOC$RCC
                                                  • API String ID: 2118026453-2084237596
                                                  • Opcode ID: ea11244ef197d419e5da83d171e3575b15d1637abf791f8f96e7c84133584893
                                                  • Instruction ID: 2d288e8286e927db24ef1e01d3281668b5407193b790a53881a68bdeb9d1a683
                                                  • Opcode Fuzzy Hash: ea11244ef197d419e5da83d171e3575b15d1637abf791f8f96e7c84133584893
                                                  • Instruction Fuzzy Hash: C4416431904209AFDF16DF98CD81AEEBBF5FF4A340F1880A9F914A7261D7399950EB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00BA1585 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00BA158C
                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00BA15C4
                                                    • Part of subcall function 00BA5425: _Yarn.LIBCPMT ref: 00BA5444
                                                    • Part of subcall function 00BA5425: _Yarn.LIBCPMT ref: 00BA5468
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2067273566.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                  • Associated: 00000001.00000002.2067252678.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067303156.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067325321.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067353851.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067365493.0000000000C08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000001.00000002.2067378954.0000000000C09000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ba0000_RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                  • String ID: bad locale name
                                                  • API String ID: 1908188788-1405518554
                                                  • Opcode ID: a6cca2575ee7946d72377104c8efc2846a52aa06a5b4ccec2a7af2117c3103de
                                                  • Instruction ID: 999fec821aa89952633f94dfddfc62bede30848ade13dd7273b4f9670b46fba3
                                                  • Opcode Fuzzy Hash: a6cca2575ee7946d72377104c8efc2846a52aa06a5b4ccec2a7af2117c3103de
                                                  • Instruction Fuzzy Hash: 99F01772509B809E83309F6A8481447FBE4BE29721790CE6EE0DEC3A11D730E544CB6A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Execution Graph

                                                  Execution Coverage:7.1%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:56
                                                  Total number of Limit Nodes:9
                                                  execution_graph 26017 2d10848 26019 2d1084e 26017->26019 26018 2d1091b 26019->26018 26021 2d1137f 26019->26021 26023 2d11383 26021->26023 26022 2d11484 26022->26019 26023->26022 26025 2d17ea8 26023->26025 26026 2d17eb2 26025->26026 26027 2d17ecc 26026->26027 26031 5abd9df 26026->26031 26036 5abd9f0 26026->26036 26041 5abdc30 26026->26041 26027->26023 26033 5abd9ee 26031->26033 26032 5abdc1a 26032->26027 26033->26032 26034 5abdc30 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26033->26034 26035 5abdc40 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26033->26035 26034->26033 26035->26033 26038 5abda05 26036->26038 26037 5abdc1a 26037->26027 26038->26037 26039 5abdc30 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26038->26039 26040 5abdc40 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26038->26040 26039->26038 26040->26038 26044 5abdc3a 26041->26044 26045 5abda05 26041->26045 26042 5abdc1a 26042->26027 26043 5abdc73 26043->26027 26044->26043 26052 5abe520 26044->26052 26056 5abe568 26044->26056 26061 5abe530 26044->26061 26045->26042 26050 5abdc30 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26045->26050 26051 5abdc40 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26045->26051 26046 5abdda6 26046->26027 26050->26045 26051->26045 26065 5abe968 26052->26065 26073 5abe958 26052->26073 26053 5abe53e 26053->26046 26057 5abe52a 26056->26057 26058 5abe53e 26057->26058 26059 5abe968 2 API calls 26057->26059 26060 5abe958 2 API calls 26057->26060 26058->26046 26059->26058 26060->26058 26062 5abe53e 26061->26062 26063 5abe968 2 API calls 26061->26063 26064 5abe958 2 API calls 26061->26064 26062->26046 26063->26062 26064->26062 26066 5abe99d 26065->26066 26067 5abe975 26065->26067 26082 5abe558 26066->26082 26067->26053 26069 5abe9be 26069->26053 26071 5abea86 GlobalMemoryStatusEx 26072 5abeab6 26071->26072 26072->26053 26074 5abe99d 26073->26074 26075 5abe975 26073->26075 26076 5abe558 GlobalMemoryStatusEx 26074->26076 26075->26053 26078 5abe9ba 26076->26078 26077 5abe9be 26077->26053 26078->26077 26079 5abea23 26078->26079 26080 5abea86 GlobalMemoryStatusEx 26078->26080 26079->26053 26081 5abeab6 26080->26081 26081->26053 26083 5abea40 GlobalMemoryStatusEx 26082->26083 26085 5abe9ba 26083->26085 26085->26069 26085->26071

                                                  Executed Functions

                                                  Function 02D1A958 Relevance: 2.8, Instructions: 2802COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d365e348af1ff4ed22f12a674acfc502d5d4e19c69cb4514181ac99397fac945
                                                  • Instruction ID: def931d2e552bafcfd463b5615af2a0a97589ab9f4ce74faa53732e22c1a99d3
                                                  • Opcode Fuzzy Hash: d365e348af1ff4ed22f12a674acfc502d5d4e19c69cb4514181ac99397fac945
                                                  • Instruction Fuzzy Hash: 66530931C10B5A9ACB51EF68C880699F7B1FF99300F15D79AE45877221FB70AAD4CB81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D14A98 Relevance: .3, Instructions: 266COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4e7999ffa7632d3bd80c15493aed4f9bea6122531cd8150eafa73763dab1657e
                                                  • Instruction ID: 34f8c403989c24fba7160d663ba3d322deb0c679158b5978955bebd2ef4ad3c4
                                                  • Opcode Fuzzy Hash: 4e7999ffa7632d3bd80c15493aed4f9bea6122531cd8150eafa73763dab1657e
                                                  • Instruction Fuzzy Hash: 1DB16C70E002099FDF10CFA9E9817ADBBF2AF88714F148129D815EB794EB749845CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D13E80 Relevance: .2, Instructions: 238COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5d9d7b87afa2a04b2c9f65abefbc74f61b7b86e831df9ff9d8d5620a0b0b16c3
                                                  • Instruction ID: fa3f7581ea99927f35c1a45bc814a9f4a9c80ba4b77bc0650be08e8b573acde6
                                                  • Opcode Fuzzy Hash: 5d9d7b87afa2a04b2c9f65abefbc74f61b7b86e831df9ff9d8d5620a0b0b16c3
                                                  • Instruction Fuzzy Hash: 3B916D70E00209EFDF10CFA9D99579EBBF2AF88714F148129E405A7794EB749885CF81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05ABE968 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 456 5abe968-5abe973 457 5abe99d-5abe9bc call 5abe558 456->457 458 5abe975-5abe99c call 5abd1c8 456->458 464 5abe9be-5abe9c1 457->464 465 5abe9c2-5abea21 457->465 471 5abea23-5abea26 465->471 472 5abea27-5abeab4 GlobalMemoryStatusEx 465->472 475 5abeabd-5abeae5 472->475 476 5abeab6-5abeabc 472->476 476->475
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3324001454.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5ab0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3e32a6a3354252ff57ff791ace4257f9767ed90d5515036ae77143f904461c77
                                                  • Instruction ID: bd896352e8e8c301225d80566b978efaa872d751e87a7ded3c72ac1808462850
                                                  • Opcode Fuzzy Hash: 3e32a6a3354252ff57ff791ace4257f9767ed90d5515036ae77143f904461c77
                                                  • Instruction Fuzzy Hash: DE41F472E043968FDB04DF79D8047DEBBF9AF89210F14856AD504A7242DB74A845CBD1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05ABE558 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 479 5abe558-5abeab4 GlobalMemoryStatusEx 482 5abeabd-5abeae5 479->482 483 5abeab6-5abeabc 479->483 483->482
                                                  APIs
                                                  • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05ABE9BA), ref: 05ABEAA7
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3324001454.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5ab0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus
                                                  • String ID:
                                                  • API String ID: 1890195054-0
                                                  • Opcode ID: 20fed2bf65b6da35ea9e97e0bdb2bb2d434c576e3a87fe39c199ff2c70a1d036
                                                  • Instruction ID: 3a5b63d86cb6c0c958c876939100ef9f53c620a13699edde0f2c1de6364ae454
                                                  • Opcode Fuzzy Hash: 20fed2bf65b6da35ea9e97e0bdb2bb2d434c576e3a87fe39c199ff2c70a1d036
                                                  • Instruction Fuzzy Hash: 961147B1C006599BDB10CF9AD444BDEFBF8BF48620F14816AD918B7240D3B8A950CFE5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05ABEA38 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 486 5abea38-5abea7e 487 5abea86-5abeab4 GlobalMemoryStatusEx 486->487 488 5abeabd-5abeae5 487->488 489 5abeab6-5abeabc 487->489 489->488
                                                  APIs
                                                  • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05ABE9BA), ref: 05ABEAA7
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3324001454.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5ab0000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus
                                                  • String ID:
                                                  • API String ID: 1890195054-0
                                                  • Opcode ID: cbbd5be7849683274bb59044ea1c6fdfbeac5a66b8dfb0b370d1941936509ee5
                                                  • Instruction ID: ef2c8842b36f82da6ab0b3bcb1d5088111e3daed968ac8f6229dfb62a4db9715
                                                  • Opcode Fuzzy Hash: cbbd5be7849683274bb59044ea1c6fdfbeac5a66b8dfb0b370d1941936509ee5
                                                  • Instruction Fuzzy Hash: AE1144B2C0065ADBDB00CFAAD544BDEFBB4BF48320F14852AD418B3240D378A950CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D10848 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 492 2d10848-2d1084c 493 2d1084e-2d10851 492->493 494 2d10853 call 2d1137f 493->494 495 2d1085e-2d10861 493->495 500 2d10859 494->500 496 2d10863 495->496 497 2d1086e-2d10871 495->497 501 2d10869 496->501 498 2d108f5-2d108f8 497->498 499 2d10877-2d10887 497->499 502 2d10909-2d1090b 498->502 503 2d108fa 498->503 508 2d108b9-2d108c1 499->508 509 2d10889-2d108b7 499->509 500->495 501->497 504 2d10912-2d10915 502->504 505 2d1090d 502->505 510 2d10904 503->510 504->493 507 2d1091b-2d1091d 504->507 505->504 511 2d108c3-2d108c5 508->511 512 2d108c7-2d108c9 508->512 509->508 510->502 513 2d108cf-2d108d1 511->513 512->513 515 2d108d3-2d108d9 513->515 516 2d108e9-2d108f0 513->516 517 2d108db 515->517 518 2d108dd-2d108df 515->518 516->498 517->516 518->516
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Co
                                                  • API String ID: 0-3798529171
                                                  • Opcode ID: 906fa81c8b020a6acdbdb4192f9cd779d7f8fd3a46a0ffa6c60bc4b2bffdcfac
                                                  • Instruction ID: 5356727bb7e5f7aa2d7e60d3a969d06703a447913412bc5ecb1f4a745e3e1a7c
                                                  • Opcode Fuzzy Hash: 906fa81c8b020a6acdbdb4192f9cd779d7f8fd3a46a0ffa6c60bc4b2bffdcfac
                                                  • Instruction Fuzzy Hash: 4911BF31B08209ABEF247A79E41476A3651FB85256F20483AE906CFB85DE30CCC1CBC1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D10838 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 538 2d10838-2d1084c 540 2d1084e-2d10851 538->540 541 2d10853 call 2d1137f 540->541 542 2d1085e-2d10861 540->542 547 2d10859 541->547 543 2d10863 542->543 544 2d1086e-2d10871 542->544 548 2d10869 543->548 545 2d108f5-2d108f8 544->545 546 2d10877-2d10887 544->546 549 2d10909-2d1090b 545->549 550 2d108fa 545->550 555 2d108b9-2d108c1 546->555 556 2d10889-2d108b7 546->556 547->542 548->544 551 2d10912-2d10915 549->551 552 2d1090d 549->552 557 2d10904 550->557 551->540 554 2d1091b-2d1091d 551->554 552->551 558 2d108c3-2d108c5 555->558 559 2d108c7-2d108c9 555->559 556->555 557->549 560 2d108cf-2d108d1 558->560 559->560 562 2d108d3-2d108d9 560->562 563 2d108e9-2d108f0 560->563 564 2d108db 562->564 565 2d108dd-2d108df 562->565 563->545 564->563 565->563
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Co
                                                  • API String ID: 0-3798529171
                                                  • Opcode ID: 21338022335273c743fb4235712d2fc0ddb2c8656672fe3ff929b8b6b3cef965
                                                  • Instruction ID: ef0136f3fb29d971b8dcfbfa5ad13569701caee42831d3845ad51af93837afb1
                                                  • Opcode Fuzzy Hash: 21338022335273c743fb4235712d2fc0ddb2c8656672fe3ff929b8b6b3cef965
                                                  • Instruction Fuzzy Hash: F811E332A08209ABEF247A75B4147693651EB85256F20493EE946CBB85DE64CCC0CBC1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D1867F Relevance: .6, Instructions: 592COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1076 2d1867f-2d18682 1077 2d18684 1076->1077 1078 2d186a6-2d186a7 1076->1078 1079 2d186e4-2d186e6 1077->1079 1080 2d18686 1077->1080 1081 2d186ae-2d186bf 1078->1081 1083 2d186ec 1079->1083 1082 2d1868a 1080->1082 1081->1079 1082->1081 1084 2d1868c 1082->1084 1085 2d186ed-2d186f0 1083->1085 1086 2d1874c-2d18764 1083->1086 1084->1083 1089 2d1868d-2d186a5 1084->1089 1087 2d186f2-2d186f8 1085->1087 1088 2d1872b-2d18737 1085->1088 1093 2d18769-2d1876c 1086->1093 1087->1082 1091 2d186fa-2d186ff 1087->1091 1092 2d18739-2d1873c 1088->1092 1089->1078 1092->1093 1094 2d1873e-2d1874a 1092->1094 1097 2d18799-2d1879c 1093->1097 1098 2d1876e-2d18794 1093->1098 1094->1086 1100 2d187c9-2d187cc 1097->1100 1101 2d1879e-2d187c4 1097->1101 1098->1097 1102 2d187f9-2d187fc 1100->1102 1103 2d187ce-2d187f4 1100->1103 1101->1100 1106 2d18829-2d1882c 1102->1106 1107 2d187fe-2d18824 1102->1107 1103->1102 1108 2d18849-2d1884c 1106->1108 1109 2d1882e-2d18844 1106->1109 1107->1106 1114 2d18879-2d1887c 1108->1114 1115 2d1884e-2d18874 1108->1115 1109->1108 1116 2d188a9-2d188ac 1114->1116 1117 2d1887e-2d188a4 1114->1117 1115->1114 1123 2d188d9-2d188dc 1116->1123 1124 2d188ae-2d188d4 1116->1124 1117->1116 1126 2d18909-2d1890c 1123->1126 1127 2d188de-2d18904 1123->1127 1124->1123 1133 2d18939-2d1893c 1126->1133 1134 2d1890e-2d18934 1126->1134 1127->1126 1136 2d1894d-2d18950 1133->1136 1137 2d1893e-2d18940 1133->1137 1134->1133 1142 2d18952-2d18978 1136->1142 1143 2d1897d-2d18980 1136->1143 1305 2d18942 call 2d19f78 1137->1305 1306 2d18942 call 2d19f68 1137->1306 1307 2d18942 call 2d1a01b 1137->1307 1142->1143 1145 2d18982-2d189a8 1143->1145 1146 2d189ad-2d189b0 1143->1146 1145->1146 1152 2d189b2-2d189d8 1146->1152 1153 2d189dd-2d189e0 1146->1153 1147 2d18948 1147->1136 1152->1153 1155 2d189e2-2d18a08 1153->1155 1156 2d18a0d-2d18a10 1153->1156 1155->1156 1160 2d18a12-2d18a38 1156->1160 1161 2d18a3d-2d18a40 1156->1161 1160->1161 1164 2d18a42-2d18a68 1161->1164 1165 2d18a6d-2d18a70 1161->1165 1164->1165 1168 2d18a72-2d18a98 1165->1168 1169 2d18a9d-2d18aa0 1165->1169 1168->1169 1173 2d18aa2-2d18ac8 1169->1173 1174 2d18acd-2d18ad0 1169->1174 1173->1174 1178 2d18ad2-2d18af8 1174->1178 1179 2d18afd-2d18b00 1174->1179 1178->1179 1183 2d18b02-2d18b28 1179->1183 1184 2d18b2d-2d18b30 1179->1184 1183->1184 1188 2d18b32-2d18b58 1184->1188 1189 2d18b5d-2d18b60 1184->1189 1188->1189 1193 2d18b62-2d18b88 1189->1193 1194 2d18b8d-2d18b90 1189->1194 1193->1194 1198 2d18b92-2d18bb8 1194->1198 1199 2d18bbd-2d18bc0 1194->1199 1198->1199 1203 2d18bc2-2d18be8 1199->1203 1204 2d18bed-2d18bf0 1199->1204 1203->1204 1208 2d18bf2-2d18c18 1204->1208 1209 2d18c1d-2d18c20 1204->1209 1208->1209 1213 2d18c22-2d18c48 1209->1213 1214 2d18c4d-2d18c50 1209->1214 1213->1214 1218 2d18c52-2d18c78 1214->1218 1219 2d18c7d-2d18c80 1214->1219 1218->1219 1223 2d18c82 1219->1223 1224 2d18c8d-2d18c90 1219->1224 1233 2d18c88 1223->1233 1228 2d18c92-2d18c9e 1224->1228 1229 2d18cab-2d18cae 1224->1229 1250 2d18ca6 1228->1250 1236 2d18cb0-2d18cd6 1229->1236 1237 2d18cdb-2d18cde 1229->1237 1233->1224 1236->1237 1238 2d18ce0-2d18d06 1237->1238 1239 2d18d0b-2d18d0e 1237->1239 1238->1239 1244 2d18d10-2d18d36 1239->1244 1245 2d18d3b-2d18d3e 1239->1245 1244->1245 1247 2d18d40-2d18d66 1245->1247 1248 2d18d6b-2d18d6e 1245->1248 1247->1248 1252 2d18d70-2d18d96 1248->1252 1253 2d18d9b-2d18d9e 1248->1253 1250->1229 1252->1253 1256 2d18da0-2d18dc6 1253->1256 1257 2d18dcb-2d18dce 1253->1257 1256->1257 1261 2d18dd0-2d18df6 1257->1261 1262 2d18dfb-2d18dfe 1257->1262 1261->1262 1265 2d18e00-2d18e26 1262->1265 1266 2d18e2b-2d18e2e 1262->1266 1265->1266 1271 2d18e30-2d18e56 1266->1271 1272 2d18e5b-2d18e5e 1266->1272 1271->1272 1275 2d18e60-2d18e86 1272->1275 1276 2d18e8b-2d18e8e 1272->1276 1275->1276 1281 2d18e90-2d18eb6 1276->1281 1282 2d18ebb-2d18ebe 1276->1282 1281->1282 1285 2d18ec0-2d18ee6 1282->1285 1286 2d18eeb-2d18eed 1282->1286 1285->1286 1291 2d18ef4-2d18ef7 1286->1291 1292 2d18eef 1286->1292 1291->1092 1298 2d18efd-2d18f03 1291->1298 1292->1291 1305->1147 1306->1147 1307->1147
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 34c377403d5ea85668c9af43656a44622c463940b0e3fb95ef2969a19ab61c2d
                                                  • Instruction ID: b598850624796b2a6a015f5dd2d411f0af627cc6935ff91a63251115b31d2d43
                                                  • Opcode Fuzzy Hash: 34c377403d5ea85668c9af43656a44622c463940b0e3fb95ef2969a19ab61c2d
                                                  • Instruction Fuzzy Hash: 35229036700202EBEB29AB38F59A6583BA2FBC5351F20592EE101CB754DF75EC46D781
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D18721 Relevance: .6, Instructions: 554COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1308 2d18721-2d18737 1309 2d18739-2d1873c 1308->1309 1310 2d18769-2d1876c 1309->1310 1311 2d1873e-2d18764 1309->1311 1312 2d18799-2d1879c 1310->1312 1313 2d1876e-2d18794 1310->1313 1311->1310 1315 2d187c9-2d187cc 1312->1315 1316 2d1879e-2d187c4 1312->1316 1313->1312 1318 2d187f9-2d187fc 1315->1318 1319 2d187ce-2d187f4 1315->1319 1316->1315 1322 2d18829-2d1882c 1318->1322 1323 2d187fe-2d18824 1318->1323 1319->1318 1325 2d18849-2d1884c 1322->1325 1326 2d1882e-2d18844 1322->1326 1323->1322 1331 2d18879-2d1887c 1325->1331 1332 2d1884e-2d18874 1325->1332 1326->1325 1334 2d188a9-2d188ac 1331->1334 1335 2d1887e-2d188a4 1331->1335 1332->1331 1341 2d188d9-2d188dc 1334->1341 1342 2d188ae-2d188d4 1334->1342 1335->1334 1344 2d18909-2d1890c 1341->1344 1345 2d188de-2d18904 1341->1345 1342->1341 1351 2d18939-2d1893c 1344->1351 1352 2d1890e-2d18934 1344->1352 1345->1344 1354 2d1894d-2d18950 1351->1354 1355 2d1893e-2d18940 1351->1355 1352->1351 1360 2d18952-2d18978 1354->1360 1361 2d1897d-2d18980 1354->1361 1523 2d18942 call 2d19f78 1355->1523 1524 2d18942 call 2d19f68 1355->1524 1525 2d18942 call 2d1a01b 1355->1525 1360->1361 1363 2d18982-2d189a8 1361->1363 1364 2d189ad-2d189b0 1361->1364 1363->1364 1370 2d189b2-2d189d8 1364->1370 1371 2d189dd-2d189e0 1364->1371 1365 2d18948 1365->1354 1370->1371 1373 2d189e2-2d18a08 1371->1373 1374 2d18a0d-2d18a10 1371->1374 1373->1374 1378 2d18a12-2d18a38 1374->1378 1379 2d18a3d-2d18a40 1374->1379 1378->1379 1382 2d18a42-2d18a68 1379->1382 1383 2d18a6d-2d18a70 1379->1383 1382->1383 1386 2d18a72-2d18a98 1383->1386 1387 2d18a9d-2d18aa0 1383->1387 1386->1387 1391 2d18aa2-2d18ac8 1387->1391 1392 2d18acd-2d18ad0 1387->1392 1391->1392 1396 2d18ad2-2d18af8 1392->1396 1397 2d18afd-2d18b00 1392->1397 1396->1397 1401 2d18b02-2d18b28 1397->1401 1402 2d18b2d-2d18b30 1397->1402 1401->1402 1406 2d18b32-2d18b58 1402->1406 1407 2d18b5d-2d18b60 1402->1407 1406->1407 1411 2d18b62-2d18b88 1407->1411 1412 2d18b8d-2d18b90 1407->1412 1411->1412 1416 2d18b92-2d18bb8 1412->1416 1417 2d18bbd-2d18bc0 1412->1417 1416->1417 1421 2d18bc2-2d18be8 1417->1421 1422 2d18bed-2d18bf0 1417->1422 1421->1422 1426 2d18bf2-2d18c18 1422->1426 1427 2d18c1d-2d18c20 1422->1427 1426->1427 1431 2d18c22-2d18c48 1427->1431 1432 2d18c4d-2d18c50 1427->1432 1431->1432 1436 2d18c52-2d18c78 1432->1436 1437 2d18c7d-2d18c80 1432->1437 1436->1437 1441 2d18c82 1437->1441 1442 2d18c8d-2d18c90 1437->1442 1451 2d18c88 1441->1451 1446 2d18c92-2d18c9e 1442->1446 1447 2d18cab-2d18cae 1442->1447 1468 2d18ca6 1446->1468 1454 2d18cb0-2d18cd6 1447->1454 1455 2d18cdb-2d18cde 1447->1455 1451->1442 1454->1455 1456 2d18ce0-2d18d06 1455->1456 1457 2d18d0b-2d18d0e 1455->1457 1456->1457 1462 2d18d10-2d18d36 1457->1462 1463 2d18d3b-2d18d3e 1457->1463 1462->1463 1465 2d18d40-2d18d66 1463->1465 1466 2d18d6b-2d18d6e 1463->1466 1465->1466 1470 2d18d70-2d18d96 1466->1470 1471 2d18d9b-2d18d9e 1466->1471 1468->1447 1470->1471 1474 2d18da0-2d18dc6 1471->1474 1475 2d18dcb-2d18dce 1471->1475 1474->1475 1479 2d18dd0-2d18df6 1475->1479 1480 2d18dfb-2d18dfe 1475->1480 1479->1480 1483 2d18e00-2d18e26 1480->1483 1484 2d18e2b-2d18e2e 1480->1484 1483->1484 1489 2d18e30-2d18e56 1484->1489 1490 2d18e5b-2d18e5e 1484->1490 1489->1490 1493 2d18e60-2d18e86 1490->1493 1494 2d18e8b-2d18e8e 1490->1494 1493->1494 1499 2d18e90-2d18eb6 1494->1499 1500 2d18ebb-2d18ebe 1494->1500 1499->1500 1503 2d18ec0-2d18ee6 1500->1503 1504 2d18eeb-2d18eed 1500->1504 1503->1504 1509 2d18ef4-2d18ef7 1504->1509 1510 2d18eef 1504->1510 1509->1309 1516 2d18efd-2d18f03 1509->1516 1510->1509 1523->1365 1524->1365 1525->1365
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5763e7c9056f80ae9ee58ace8b9fa7748df527cc9030aeda8d8a0df1c2aeb012
                                                  • Instruction ID: 4351344515886d6105354fb16bd61486c23448f541712ce661c4821c4883da5d
                                                  • Opcode Fuzzy Hash: 5763e7c9056f80ae9ee58ace8b9fa7748df527cc9030aeda8d8a0df1c2aeb012
                                                  • Instruction Fuzzy Hash: DF128E36700202EBDB29AB38F59A66C36A2FBC5351F20592EE105CB754DF75EC46DB80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D1A217 Relevance: .4, Instructions: 391COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1930 2d1a217-2d1a219 1931 2d1a21b 1930->1931 1932 2d1a22c-2d1a22f 1930->1932 2068 2d1a21e call 2d1a217 1931->2068 2069 2d1a21e call 2d1a4a6 1931->2069 2070 2d1a21e call 2d1a2a8 1931->2070 1933 2d1a235-2d1a238 1932->1933 1934 2d1a4c6-2d1a4cf 1932->1934 1936 2d1a242-2d1a245 1933->1936 1937 2d1a23a-2d1a23f 1933->1937 1938 2d1a4d5-2d1a4df 1934->1938 1939 2d1a1b6-2d1a1bf 1934->1939 1935 2d1a224-2d1a227 1935->1932 1942 2d1a247-2d1a275 1936->1942 1943 2d1a27a-2d1a27c 1936->1943 1937->1936 1940 2d1a4e2-2d1a512 1939->1940 1941 2d1a1c5-2d1a1cc 1939->1941 1955 2d1a514-2d1a517 1940->1955 1944 2d1a1d1-2d1a1d4 1941->1944 1942->1943 1945 2d1a283-2d1a286 1943->1945 1946 2d1a27e 1943->1946 1947 2d1a1f7-2d1a1fa 1944->1947 1948 2d1a1d6-2d1a1f2 1944->1948 1951 2d1a1b1-2d1a1b4 1945->1951 1952 2d1a28c 1945->1952 1946->1945 1953 2d1a216 1947->1953 1954 2d1a1fc-2d1a20b 1947->1954 1948->1947 1951->1939 1951->1944 1956 2d1a296-2d1a29a 1952->1956 1953->1930 1969 2d1a211 1954->1969 1970 2d1a4c3 1954->1970 1959 2d1a519-2d1a533 1955->1959 1960 2d1a538-2d1a53b 1955->1960 2071 2d1a29d call 2d1a6b2 1956->2071 2072 2d1a29d call 2d1a6b8 1956->2072 1959->1960 1961 2d1a53d-2d1a559 1960->1961 1962 2d1a55e-2d1a561 1960->1962 1961->1962 1967 2d1a690-2d1a69a 1962->1967 1968 2d1a567-2d1a56a 1962->1968 1965 2d1a2a3-2d1a2a6 1971 2d1a2b2-2d1a2b7 call 2d1de62 1965->1971 1973 2d1a57c-2d1a57f 1968->1973 1974 2d1a56c 1968->1974 1969->1953 1970->1934 1978 2d1a2bd-2d1a2bf 1971->1978 1976 2d1a581-2d1a5a3 1973->1976 1977 2d1a5a4-2d1a5a7 1973->1977 1982 2d1a575-2d1a577 1974->1982 1979 2d1a5a9-2d1a5ac 1977->1979 1980 2d1a5f8-2d1a5fb 1977->1980 1978->1970 1986 2d1a2c5-2d1a2ca 1978->1986 1987 2d1a5cc-2d1a5cf 1979->1987 1988 2d1a5ae-2d1a5c7 1979->1988 1984 2d1a5e1-2d1a5e4 1980->1984 1985 2d1a5fd 1980->1985 1982->1973 1992 2d1a69b-2d1a6a7 1984->1992 1993 2d1a5ea-2d1a5ee 1984->1993 1989 2d1a602-2d1a605 1985->1989 1998 2d1a2d2-2d1a2d3 1986->1998 1990 2d1a5d1-2d1a5d7 1987->1990 1991 2d1a5dc-2d1a5df 1987->1991 1988->1987 1996 2d1a607-2d1a61f 1989->1996 1997 2d1a626-2d1a629 1989->1997 1990->1991 1991->1984 1994 2d1a5f3-2d1a5f6 1991->1994 1993->1994 1994->1980 1994->1989 2001 2d1a62b-2d1a62c 1996->2001 2010 2d1a621 1996->2010 2000 2d1a631-2d1a634 1997->2000 1997->2001 1998->1970 2002 2d1a2d9-2d1a336 1998->2002 2006 2d1a655-2d1a658 2000->2006 2007 2d1a636-2d1a650 2000->2007 2001->2000 2024 2d1a407-2d1a421 2002->2024 2025 2d1a33c-2d1a38f 2002->2025 2008 2d1a65a-2d1a65c 2006->2008 2009 2d1a65f-2d1a662 2006->2009 2007->2006 2008->2009 2012 2d1a664-2d1a673 2009->2012 2013 2d1a67e-2d1a680 2009->2013 2010->1997 2012->1976 2020 2d1a679 2012->2020 2015 2d1a682 2013->2015 2016 2d1a687-2d1a68a 2013->2016 2015->2016 2016->1955 2016->1967 2020->2013 2030 2d1a423-2d1a425 2024->2030 2044 2d1a391-2d1a3ad 2025->2044 2045 2d1a3af-2d1a3d2 call 2d179c8 2025->2045 2032 2d1a433 2030->2032 2033 2d1a427-2d1a431 2030->2033 2034 2d1a438-2d1a43a 2032->2034 2033->2034 2035 2d1a4ab-2d1a4bd 2034->2035 2036 2d1a43c-2d1a440 2034->2036 2035->1970 2035->2002 2038 2d1a451 2036->2038 2039 2d1a442-2d1a44f 2036->2039 2040 2d1a456-2d1a458 2038->2040 2039->2040 2040->2035 2043 2d1a45a-2d1a45c 2040->2043 2043->2035 2046 2d1a45e-2d1a4a4 2043->2046 2056 2d1a3d4-2d1a405 2044->2056 2045->2056 2046->2035 2056->2030 2068->1935 2069->1935 2070->1935 2071->1965 2072->1965
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2a561fa9283b31d342ad725015027acf1eb7e9fee83d25055e5e2d42709e05b3
                                                  • Instruction ID: 2dae5b21e4f32802ab61ecc48ef02d9710cd85c0f70d303939c8bb91a93e86cf
                                                  • Opcode Fuzzy Hash: 2a561fa9283b31d342ad725015027acf1eb7e9fee83d25055e5e2d42709e05b3
                                                  • Instruction Fuzzy Hash: D4E16B35A01205DFDB14DB68E485BADBBB2FF89314F208429E90ADB755DB35EC42CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D14A8E Relevance: .3, Instructions: 259COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bb66ee376bd9e4156f6aeb49c3920706349bd2b620c7979b543f608ead673e9f
                                                  • Instruction ID: e1f0bc0c5d30c2231d470882c7d0b4b6da8d6e2c0bc878917ab2e4760d1c05a9
                                                  • Opcode Fuzzy Hash: bb66ee376bd9e4156f6aeb49c3920706349bd2b620c7979b543f608ead673e9f
                                                  • Instruction Fuzzy Hash: 05A15AB0E00219EFDF10CFA8E98179DBBF2AF48714F148129D815AB794EB749885CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D13E76 Relevance: .2, Instructions: 234COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2c93f540dc15647d54e69fd6e7a3159ed104a0ab0cd34f3852121ea4958128a7
                                                  • Instruction ID: 2d085b7cab3d8d7cbffb3ac69f16db49cd76763983dc8ef59d146b5e4d1228d6
                                                  • Opcode Fuzzy Hash: 2c93f540dc15647d54e69fd6e7a3159ed104a0ab0cd34f3852121ea4958128a7
                                                  • Instruction Fuzzy Hash: C7916CB0E00209EFDB10CFA9E9857DDBBF1AF48714F248129E405A7794EB749885CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D14810 Relevance: .2, Instructions: 180COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 510ce7e30cb736bb904c120a5a76d08f24875416a1d64c944bb9e58e42940b11
                                                  • Instruction ID: def36fc920fb3fd625268fac4046159e87571859efb5fdef9336b393cecb2005
                                                  • Opcode Fuzzy Hash: 510ce7e30cb736bb904c120a5a76d08f24875416a1d64c944bb9e58e42940b11
                                                  • Instruction Fuzzy Hash: 88718CB0E04249EFDB10CFA9E98079EBBF2BF88714F148129E415A7794EB749841CF95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D14804 Relevance: .2, Instructions: 178COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3217b6048b812bd03bc30d18d744ecc479613cde8bbe65affcd5d95d870c3f1f
                                                  • Instruction ID: b53c92e4cc44b001ce0fdb815c52b6ccf5bcf4673ca2e8a5fb22fd6415359e91
                                                  • Opcode Fuzzy Hash: 3217b6048b812bd03bc30d18d744ecc479613cde8bbe65affcd5d95d870c3f1f
                                                  • Instruction Fuzzy Hash: 0E718BB0E04249EFDB10CFA8E98479EBBF1BF88714F148129E415A7794EB749841CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D16ED0 Relevance: .2, Instructions: 167COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b6f5427ca4794c6adf04411987b043f6116f5b7612252ac9fa089e5e67482c95
                                                  • Instruction ID: d72e7fb71b8e538a88e9c9f8f0fb35e58ed41d588205e9829869222a8509de63
                                                  • Opcode Fuzzy Hash: b6f5427ca4794c6adf04411987b043f6116f5b7612252ac9fa089e5e67482c95
                                                  • Instruction Fuzzy Hash: 1D518C34700214DFDB04DB68E558AADBBB6FF89700F2044A9E406EBBA1DB75DC41CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D1A6B8 Relevance: .1, Instructions: 139COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1ea88eff9196a86f7d8dabf18638a28da59425c93c661ae1722b8a335735796c
                                                  • Instruction ID: d5912f568bc48e1454f4e9c1126c513da7df1f06a500c18b120e07891b597476
                                                  • Opcode Fuzzy Hash: 1ea88eff9196a86f7d8dabf18638a28da59425c93c661ae1722b8a335735796c
                                                  • Instruction Fuzzy Hash: C1513875A01205DFDB04DF69E884799FBB2FF88314F14C26AE9089B356EB70D946CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D16CD5 Relevance: .1, Instructions: 132COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 95bcd330c3eebd6589c1bac992142571137e596291a2f71d1328985a1e4c0c33
                                                  • Instruction ID: 40bacdc97308d8c5ac31ccda7c6d1763db38a9737e9536733b721e5ec9a98d08
                                                  • Opcode Fuzzy Hash: 95bcd330c3eebd6589c1bac992142571137e596291a2f71d1328985a1e4c0c33
                                                  • Instruction Fuzzy Hash: 9F5143B0E002289FDB18CFA9D884B9DBBB5FF48304F14852AE815BB750D774A844CF94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D16CE0 Relevance: .1, Instructions: 132COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6fc84ed59cf16da02737e7fe479046adb24f123c3ac944c74eb499adf8023c5b
                                                  • Instruction ID: beeeb0c2b05062f16249806fca64fd984d1b2ded550d6b605b23910d5ef06484
                                                  • Opcode Fuzzy Hash: 6fc84ed59cf16da02737e7fe479046adb24f123c3ac944c74eb499adf8023c5b
                                                  • Instruction Fuzzy Hash: 315123B0E002189FDB14CFA9D884B9EBBB5FF48314F14812AE815BB750DB74A844CF95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D11138 Relevance: .1, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8f51665a288678ebe2fd170f539be939cf18fae1dcf50842d6c6274660418a30
                                                  • Instruction ID: 58044d82c969cd5b26c811c1b78a9a9a98ec3f3c04ebce01d47afdcb47eea50f
                                                  • Opcode Fuzzy Hash: 8f51665a288678ebe2fd170f539be939cf18fae1dcf50842d6c6274660418a30
                                                  • Instruction Fuzzy Hash: 2551CD32A15346CFE70AFF28F8C09553FB1FBA5306304A97DD1545736EEAA06949CB80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D1DE62 Relevance: .1, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f8c941212c0902fdb86adc50ebbe6b382065cf4079154ced426862ebd1d98755
                                                  • Instruction ID: d565e97fe2777a60639ff6eb990a2b34314a40b0b762b27c66691f02001a1116
                                                  • Opcode Fuzzy Hash: f8c941212c0902fdb86adc50ebbe6b382065cf4079154ced426862ebd1d98755
                                                  • Instruction Fuzzy Hash: E2315E75B00616EFD705DB68D880E7A77B7BFC8300F648168E5459B299CB32EC42CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D17D90 Relevance: .1, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ac71d20995f20721ee095eff909899fc393ba0318c526668395c35f1d1ec2f02
                                                  • Instruction ID: 57b1ff09988ab9a369b04eadc31aca614d1eaaede6a0f93f4db25508b59f74eb
                                                  • Opcode Fuzzy Hash: ac71d20995f20721ee095eff909899fc393ba0318c526668395c35f1d1ec2f02
                                                  • Instruction Fuzzy Hash: 3B315E31E1021AEBEB14CBA4E4457AEF7B6FF85310F608529E506EB790EBB09D41CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D17D81 Relevance: .1, Instructions: 93COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cb4ac325fc5d18b75f0d63379e512119262fdc0d4fad13e11330e95c8316c59f
                                                  • Instruction ID: 7a13ba27aaa0d8e4f908a5ba734ba760576f5fb5fad691801c9cff52cdc1f6ac
                                                  • Opcode Fuzzy Hash: cb4ac325fc5d18b75f0d63379e512119262fdc0d4fad13e11330e95c8316c59f
                                                  • Instruction Fuzzy Hash: 33314E31E1025AEBEB14CB64E84579EB7B6FF85300F608519F502EB790EBB09D42CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D126DC Relevance: .1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 38d3b9182ff3c87d043907d08613531cf3a2f5ca9e9151e9281994313136e42e
                                                  • Instruction ID: 65d1d021a08db8f77dbd07bb911f463ecc751ee1b23a087cbb397b1da0cd0277
                                                  • Opcode Fuzzy Hash: 38d3b9182ff3c87d043907d08613531cf3a2f5ca9e9151e9281994313136e42e
                                                  • Instruction Fuzzy Hash: 41410FB1D00349EFEB10CFA9D984ADEBBB1FF48314F148429E809AB254DB75A945CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D126E8 Relevance: .1, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0c341ddf0633505c6f9ec8a2b84e4c1d3493cf1d0802339dc02c2bd0747e6080
                                                  • Instruction ID: b767be46b431f1b37f6244fc0d449eed90fa1fc7a5ee3bafb4767c5b209f4609
                                                  • Opcode Fuzzy Hash: 0c341ddf0633505c6f9ec8a2b84e4c1d3493cf1d0802339dc02c2bd0747e6080
                                                  • Instruction Fuzzy Hash: 2641EFB0D00349EFDB10CFA9D984A9EBBB5EF48714F148429E809AB354DB75A945CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D11878 Relevance: .1, Instructions: 86COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b9f064749c85ee2f02a4bea3ad28f774b61dfe4966507c819c7709dd1ef4a3aa
                                                  • Instruction ID: 832097f577a4e38f15859d85c033382ac9b7cf46df02d60f9b975248d1c8554c
                                                  • Opcode Fuzzy Hash: b9f064749c85ee2f02a4bea3ad28f774b61dfe4966507c819c7709dd1ef4a3aa
                                                  • Instruction Fuzzy Hash: 9831DC71B00245EFEF24EB68E5147AD37B2AF49301F1004A8C20AEB794DB36CC41CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D1A067 Relevance: .1, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 649420004cc5bb12790e8e2725b0098b3c62a330542f14c6b3a2c12323fa8e94
                                                  • Instruction ID: 3f5baf567ce39061901bcc120199a0ebe0ff370c4483fcf9efd748a49bd08ef2
                                                  • Opcode Fuzzy Hash: 649420004cc5bb12790e8e2725b0098b3c62a330542f14c6b3a2c12323fa8e94
                                                  • Instruction Fuzzy Hash: AE31C076E012469BDB15CFA4E88079EBBB2FF8A300F24C659E415EB745DB709C86CB40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D1A078 Relevance: .1, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e89d80ba4e0b41dc825fb73fa6ccb02e237e67df30ed75ff5adbf9dce85fcee4
                                                  • Instruction ID: c72d7e80d5a4c7c2ec0ee2b2ed4440b2a3bb254afc7b696e61eb7905948e7ba6
                                                  • Opcode Fuzzy Hash: e89d80ba4e0b41dc825fb73fa6ccb02e237e67df30ed75ff5adbf9dce85fcee4
                                                  • Instruction Fuzzy Hash: 53215135E0120AABDB15CF64E98079EF7B2BF89300F50C619E805AB745DB719D85CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D116A2 Relevance: .1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ac797a00bd119885948587f7c9fcb3db7d5c0e65563b314dd8daa74a4d6426c9
                                                  • Instruction ID: 548c308fbcebc97f0773c41dd81386c141e0ccda3289a8f47c1e0ed91e8b96cd
                                                  • Opcode Fuzzy Hash: ac797a00bd119885948587f7c9fcb3db7d5c0e65563b314dd8daa74a4d6426c9
                                                  • Instruction Fuzzy Hash: D4219939610241EBEF26EB28F8847193B65EF84354F106929E20AC7755EF78DC45CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D1A850 Relevance: .1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a8d564ab218c43dafed3593fbe3b0447e42eda8289385b42bdb39e9e432aae99
                                                  • Instruction ID: efa783b3f21ca0358ef35b1ceab2d60aa9dfbce8405001d3fe9b36d5f7ceadcd
                                                  • Opcode Fuzzy Hash: a8d564ab218c43dafed3593fbe3b0447e42eda8289385b42bdb39e9e432aae99
                                                  • Instruction Fuzzy Hash: 5E21D070B001189FEB14DBB8D954BAD77F6AF88720F118126E101EB3A4DB71CD80CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0110D044 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3321715498.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_110d000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8666e8d51f52c732f4fe0cb936aec0536e709d10995704365bb0811bcc2a1318
                                                  • Instruction ID: dda42311ccd36f2cbafddabbdbcb182c44ff4937265e2ba592739423a7a5e9b8
                                                  • Opcode Fuzzy Hash: 8666e8d51f52c732f4fe0cb936aec0536e709d10995704365bb0811bcc2a1318
                                                  • Instruction Fuzzy Hash: D1213A75904304DFDF1ACFA4E9C0B26BB61FB84314F20C56DD90D4B296C7B6D446CA62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D16B99 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 68af6e9feff11779bd468450ab2d0242856ee4de2629afa7ad5ef140a076f3d9
                                                  • Instruction ID: 4d7483661c9dbc156985d4890142ee2110399bce4859fbcd3866847ce6fb11d7
                                                  • Opcode Fuzzy Hash: 68af6e9feff11779bd468450ab2d0242856ee4de2629afa7ad5ef140a076f3d9
                                                  • Instruction Fuzzy Hash: 7E2136327142519FC705AB38E8217AE3BBAEF8A210F1045AAE045CF795EE75DC46C7D1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D1A84A Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 768cea3713af7c71fec3024ab3ef11cab8a4a6943ccc84a44b40cd35a3d519a8
                                                  • Instruction ID: b571145ad68b262601d32d575e094a2a37817e4bf05407c272d3cd4def2a3162
                                                  • Opcode Fuzzy Hash: 768cea3713af7c71fec3024ab3ef11cab8a4a6943ccc84a44b40cd35a3d519a8
                                                  • Instruction Fuzzy Hash: 9621BE71A001089FEB04DB68D954BAE7BF6EF88710F118029E506EB7A4DB71CD84CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D14F8A Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6e0dc677796c2ae4114e1dde33c6b81d2ad30b1ca933d34e240f1c6557b07890
                                                  • Instruction ID: 8e2117a621889d2220ab18e03ec44ddb38e10ea5d3d654af38485f0287126463
                                                  • Opcode Fuzzy Hash: 6e0dc677796c2ae4114e1dde33c6b81d2ad30b1ca933d34e240f1c6557b07890
                                                  • Instruction Fuzzy Hash: B6211534A00214DFDB24DB78E599BADB7F2AB8D344B200468E506EB7A4DB75DD40CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D19F68 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0a44fbffdaba59f9ca4ad446da0b326fe56a5027e5cb99ad37f427a07a2e2751
                                                  • Instruction ID: b1d4152d66e42829d1d2e195508cac874ca193576c1d7b3f467b38e57fc4e19e
                                                  • Opcode Fuzzy Hash: 0a44fbffdaba59f9ca4ad446da0b326fe56a5027e5cb99ad37f427a07a2e2751
                                                  • Instruction Fuzzy Hash: B0217131E00206ABDB18CFA4D4606DEF7B2AF89300F20855AF815F7784DB709C46CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D1137F Relevance: .1, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 80f89fa229bce3a3483358d5d2e05f5bfd9946d4797b3485c0598329101ed758
                                                  • Instruction ID: f218845a0b2f81cb24b8034089d512554fa2244e967da3a272413b5d0c520b14
                                                  • Opcode Fuzzy Hash: 80f89fa229bce3a3483358d5d2e05f5bfd9946d4797b3485c0598329101ed758
                                                  • Instruction Fuzzy Hash: B721B475614211BBEF356624F48A32C7A20EB42321F541829E74EC7BD4DF69CC85C742
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D11888 Relevance: .1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5d7df4a4f3dc92f826592d556a8bfa41347625330cca00d943963bd6d8c1a5e6
                                                  • Instruction ID: 8414a87244999699efdaef5b660b3cce06ad0eafcf2d18fbbb85de96d6708e49
                                                  • Opcode Fuzzy Hash: 5d7df4a4f3dc92f826592d556a8bfa41347625330cca00d943963bd6d8c1a5e6
                                                  • Instruction Fuzzy Hash: EE213C34B00215EFEB54EB78E554BAE77F2AB89305F200468C21AEB758DB75CD41CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D116B0 Relevance: .1, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: eca23ad7b2d7383b5f709a52758b3f35d9288f7c895a47b3d768a71faeadc4a4
                                                  • Instruction ID: 51043edbc22f5c6ea248b0870e1849ca21337a6475126bfc36a54d7632afbf42
                                                  • Opcode Fuzzy Hash: eca23ad7b2d7383b5f709a52758b3f35d9288f7c895a47b3d768a71faeadc4a4
                                                  • Instruction Fuzzy Hash: DB21B739610241EBEF26EB28F8847193B66EF84354F106929E20AC7759EF78DC44CBD1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D14F98 Relevance: .1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7eeb8477cb6788fa82e4d631459791031ce2ab41112fe08c633cdb635f6d8822
                                                  • Instruction ID: dd0b70fbf566ee777d9e4c1a2b56aef03cba18e5fb8d1b8a9b1b27538a5efc0c
                                                  • Opcode Fuzzy Hash: 7eeb8477cb6788fa82e4d631459791031ce2ab41112fe08c633cdb635f6d8822
                                                  • Instruction Fuzzy Hash: 0621E634B00204DFDB18EB78E558BADB7F2AB8D344B200468E506EB7A4DB76DD41CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D19F78 Relevance: .1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8b9966b645a55191b2847b4bf9c6e7dc0558b4a915e0ad626f2d97f59d44e380
                                                  • Instruction ID: 4012ac15dc57fabc8c57f1992b8a5c46c6aaecd06e61dc01e3f481a66b629940
                                                  • Opcode Fuzzy Hash: 8b9966b645a55191b2847b4bf9c6e7dc0558b4a915e0ad626f2d97f59d44e380
                                                  • Instruction Fuzzy Hash: 83215E31E00219ABCB19CF64D4546DEF7B6AF89310F10866AFC15BB794DB70AC46CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D117C0 Relevance: .1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 38bad95d4228ca1387671bd82634ad36a1d30febbaa57d27abcfb29898a7c96e
                                                  • Instruction ID: 7b5dc079b49480e1f38f40c2ed245db41b80e922692216106eb33a6fe01debdf
                                                  • Opcode Fuzzy Hash: 38bad95d4228ca1387671bd82634ad36a1d30febbaa57d27abcfb29898a7c96e
                                                  • Instruction Fuzzy Hash: FB11CEB6F11351AFDB10ABB4A80966E7BE9FF48250F148865EA09D3340FA34C805CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D11487 Relevance: .1, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c583fdc4a886f39b586ad0e5c9cd29c5654b0e92aca457c7d1d3cbae9f42bfeb
                                                  • Instruction ID: 4bb833558a3355b9a61097b73aaf90f53417238b345c5b5f88baee6800a3a8ce
                                                  • Opcode Fuzzy Hash: c583fdc4a886f39b586ad0e5c9cd29c5654b0e92aca457c7d1d3cbae9f42bfeb
                                                  • Instruction Fuzzy Hash: A5118F72A00215AFCB11AFB8A85129D7BF5EF48211F1504BAD905DB741EB35CD41CBA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0110D03F Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3321715498.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_110d000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3adcda68119555c6f25b62d92a5950083e81dc615a2459920abefbb8922beed6
                                                  • Instruction ID: 909f29962979abd33403a21703b077298d2959be037a04e777073eaf13c43b6f
                                                  • Opcode Fuzzy Hash: 3adcda68119555c6f25b62d92a5950083e81dc615a2459920abefbb8922beed6
                                                  • Instruction Fuzzy Hash: 2F110075904284CFCB06CF54D9C0B15BF61FB44318F24C6A9D8494B696C37AD44ACF51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D11498 Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 434aa718d535fe0ac8d8569d08d6e5ea28e62dbb1500c0364e7d9eb8dc6bba68
                                                  • Instruction ID: 7272f06caa689b85acf0fbadcfc90d0c2cb149fbeeaa3742eadfd0c13325a883
                                                  • Opcode Fuzzy Hash: 434aa718d535fe0ac8d8569d08d6e5ea28e62dbb1500c0364e7d9eb8dc6bba68
                                                  • Instruction Fuzzy Hash: 6A018031A00219ABCB21EFB9A4512AE7BF6EB48211F14047AD909EB740E735DC81CBE5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D1A6B2 Relevance: .0, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4d978a40a968e013d50527a39a1b5f9961aabe0ceced1df76a4a6c57b42fb6ef
                                                  • Instruction ID: 4d0d33a00fc9ebe437eaf0383d18166851e3b8afd2a46908ab97a6cd3e4c56e3
                                                  • Opcode Fuzzy Hash: 4d978a40a968e013d50527a39a1b5f9961aabe0ceced1df76a4a6c57b42fb6ef
                                                  • Instruction Fuzzy Hash: DE01B531A001058BDB14EF55E88479ABB75FFC4310F54C168D9086F79AEBB4ED06CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D18F08 Relevance: .0, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0c4d06e8479080be2a392d5fead87101df2df767bfaa3a21669664d2ec6123a0
                                                  • Instruction ID: 431dcd2e73628688fc9b00f9e3ce894106b93053eb3ab39a365a300bfcbe3fb4
                                                  • Opcode Fuzzy Hash: 0c4d06e8479080be2a392d5fead87101df2df767bfaa3a21669664d2ec6123a0
                                                  • Instruction Fuzzy Hash: 08016D3650028ADBDB06EBA8F991B9D7F61EB81340F406AADC1116F295DE752A01DB81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D17EA8 Relevance: .0, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 60fcfb4797841b9c87e3119e21b2d953cd846926c8b9a463c2fc77211b259774
                                                  • Instruction ID: 0b5780d287334a38c15eb1cb88a8aa5a619ea97f96631ab51db820c6142ed25d
                                                  • Opcode Fuzzy Hash: 60fcfb4797841b9c87e3119e21b2d953cd846926c8b9a463c2fc77211b259774
                                                  • Instruction Fuzzy Hash: DEF0C43AB00209DFD718DB74E599A6C77B2EF88315F5454A8E5069B3A4DF31AD42CB40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D18F18 Relevance: .0, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.3322192795.0000000002D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_2d10000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7c8078a8b1758ee9ffc7d04b41504e40f599ef522c8a2dfc8eca53e2f24a2313
                                                  • Instruction ID: 277803c415038f0add0684c88e2a2829ed1529afd10f058197c83460e30ad058
                                                  • Opcode Fuzzy Hash: 7c8078a8b1758ee9ffc7d04b41504e40f599ef522c8a2dfc8eca53e2f24a2313
                                                  • Instruction Fuzzy Hash: F6F0313590024AEFDB05FFA4F850A9D7BB1FB80340F5066ADC104AB254EF712E049B81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%