Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1432174
MD5:ea8b223863892068e3cfab601caf53d4
SHA1:d94660b1fc88c44fddf2b330e9628b38c9e7d8d0
SHA256:4ed2368fc3e3030a3da9930cb430b80d4611baf0a0451efe3f9e02b25ccd493d
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2364 cmdline: "C:\Users\user\Desktop\file.exe" MD5: EA8B223863892068E3CFAB601CAF53D4)
    • conhost.exe (PID: 2104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 2212 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 3040 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "5.42.65.96:28380", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000004.00000002.2204664213.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000004.00000002.2206870926.0000000002BE0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 3 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.file.exe.281040.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.file.exe.281040.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    4.2.RegAsm.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      0.2.file.exe.250000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                        Sigma Signatures

                        No Sigma rule has matched

                        Snort Signatures

                        Timestamp:04/26/24-16:28:58.476425
                        SID:2043234
                        Source Port:28380
                        Destination Port:49704
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:04/26/24-16:29:13.331288
                        SID:2043231
                        Source Port:49704
                        Destination Port:28380
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:04/26/24-16:28:58.227042
                        SID:2046045
                        Source Port:49704
                        Destination Port:28380
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:04/26/24-16:29:03.773464
                        SID:2046056
                        Source Port:28380
                        Destination Port:49704
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Found malware configuration
                        Source: 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "5.42.65.96:28380", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
                        Multi AV Scanner detection for submitted file
                        Source: file.exeVirustotal: Detection: 32%Perma Link
                        Source: file.exeReversingLabs: Detection: 31%
                        Machine Learning detection for sample
                        Source: file.exeJoe Sandbox ML: detected
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00269C1F FindFirstFileExW,0_2_00269C1F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 068C4C60h4_2_068C4768
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 068C18A7h4_2_068C1148
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 068C10A5h4_2_068C0DE0

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.5:49704 -> 5.42.65.96:28380
                        Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.5:49704 -> 5.42.65.96:28380
                        Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 5.42.65.96:28380 -> 192.168.2.5:49704
                        Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 5.42.65.96:28380 -> 192.168.2.5:49704
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 5.42.65.96:28380
                        Source: global trafficTCP traffic: 192.168.2.5:49704 -> 5.42.65.96:28380
                        Source: Joe Sandbox ViewASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.96
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                        Source: RegAsm.exe, 00000004.00000002.2205622101.0000000000C0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.exif/1
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp93
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002D80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002B56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002D80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002D5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002BAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002D5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002BE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15V
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002D80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002D80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002D80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002D80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2206870926.0000000002D80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002D90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002D80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002D90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002D90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002BAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002D80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002D5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                        Source: file.exe, file.exe, 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000004.00000002.2204664213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\TmpF89F.tmpJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\TmpF8AF.tmpJump to dropped file
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002601600_2_00260160
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002642130_2_00264213
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0026C2530_2_0026C253
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0026DAD10_2_0026DAD1
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00264C330_2_00264C33
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002875550_2_00287555
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00286DD00_2_00286DD0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0025CF440_2_0025CF44
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00BDDC744_2_00BDDC74
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02800AFC4_2_02800AFC
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_028069484_2_02806948
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_028072D04_2_028072D0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02807C204_2_02807C20
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_028000394_2_02800039
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_028000404_2_02800040
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02800AFB4_2_02800AFB
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02801FFB4_2_02801FFB
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02807C104_2_02807C10
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_061A67D84_2_061A67D8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_061AA3D84_2_061AA3D8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_061A3F504_2_061A3F50
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_061A6FF84_2_061A6FF8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_061A6FE84_2_061A6FE8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_068CC4F84_2_068CC4F8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_068C76C84_2_068C76C8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_068C47684_2_068C4768
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_068C25104_2_068C2510
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_068C01E84_2_068C01E8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_068C11484_2_068C1148
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_068C3AA84_2_068C3AA8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_068C3AB84_2_068C3AB8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_068C1A604_2_068C1A60
                        Source: C:\Users\user\Desktop\file.exeCode function: String function: 002572C0 appears 51 times
                        Source: file.exeBinary or memory string: OriginalFilename vs file.exe
                        Source: file.exe, 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBeaufin.exe8 vs file.exe
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: file.exeStatic PE information: Section: .bsS ZLIB complexity 0.9981459697217676
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/5@0/1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2104:120:WilError_03
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\TmpF89F.tmpJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: file.exeVirustotal: Detection: 32%
                        Source: file.exeReversingLabs: Detection: 31%
                        Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: esdsip.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: linkinfo.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                        Source: Google Chrome.lnk.4.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002869C6 push es; retn 0000h0_2_00286AD6
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00286AE8 push es; retn 0000h0_2_00286AD6
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00286AE8 push es; ret 0_2_00286AE5
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00286AD9 push es; retn 0000h0_2_00286AD6
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00286AD9 push es; ret 0_2_00286AE5
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00286B55 push es; retf 0000h0_2_00286B42
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00286B55 push es; retf 0_2_00286B52
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002565C2 push ecx; ret 0_2_002565D5
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00BD46E9 push ebx; ret 4_2_00BD46EA
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00BD46E1 push ebx; ret 4_2_00BD46E2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00BD46E3 push edx; ret 4_2_00BD46E6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00BD4661 push edx; ret 4_2_00BD4662
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00BD4658 push edx; ret 4_2_00BD465A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00BD47E0 push esi; ret 4_2_00BD47E2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00BD47D7 push esi; ret 4_2_00BD47DA
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00BDAD09 pushfd ; ret 4_2_00BDAD0A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00BDAD01 pushfd ; ret 4_2_00BDAD02
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_061AC711 push es; ret 4_2_061AC720
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_061AD413 push es; ret 4_2_061AD420
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_061AECF2 push eax; ret 4_2_061AED01

                        Persistence and Installation Behavior

                        barindex
                        Installs new ROOT certificates
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: B30000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2920000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: B30000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1938Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 6369Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5644Thread sleep time: -27670116110564310s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3948Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00269C1F FindFirstFileExW,0_2_00269C1F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                        Source: RegAsm.exe, 00000004.00000002.2211253726.0000000005AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003A43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                        Source: RegAsm.exe, 00000004.00000002.2208757481.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00257093 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00257093
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0026650C mov eax, dword ptr fs:[00000030h]0_2_0026650C
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002613E3 mov ecx, dword ptr fs:[00000030h]0_2_002613E3
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00266550 mov eax, dword ptr fs:[00000030h]0_2_00266550
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0026D368 GetProcessHeap,0_2_0026D368
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00257093 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00257093
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002571EF SetUnhandledExceptionFilter,0_2_002571EF
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00256D89 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00256D89
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0025ADD3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0025ADD3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Allocates memory in foreign processes
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 6E5008Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00256B7C cpuid 0_2_00256B7C
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_0026D037
                        Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0026D106
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_0026CA44
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_0026624C
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_0026CA8F
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_0026CB2A
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_0026CBB5
                        Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00265CE6
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_0026CE08
                        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0026CF31
                        Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_0026C7A2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00256F86 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00256F86
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: RegAsm.exe, 00000004.00000002.2211713768.0000000005B5B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2215254482.000000000727A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.file.exe.281040.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.281040.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.250000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.2204664213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 2364, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3040, type: MEMORYSTR
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002BE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q2C:\Users\user\AppData\Roaming\Electrum\wallets\*
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002BE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR]q~
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002BE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR]q
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002BE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q%appdata%`,]qdC:\Users\user\AppData\Roaming`,]qdC:\Users\user\AppData\Roaming\Binance
                        Source: RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002BE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q&%localappdata%\Coinomi\Coinomi\walletsLR]q
                        Source: RegAsm.exe, 00000004.00000002.2206870926.0000000002BE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                        Source: Yara matchFile source: 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.2206870926.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3040, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.file.exe.281040.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.281040.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.250000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.2204664213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 2364, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3040, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		311
                        Process Injection                        		1
                        Masquerading                        		1
                        OS Credential Dumping                        		1
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		LSASS Memory251
                        Security Software Discovery                        		Remote Desktop Protocol3
                        Data from Local System                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        Process Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive1
                        Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
                        Process Injection                        		NTDS241
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        Application Window Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                        Obfuscated Files or Information                        		Cached Domain Credentials2
                        File and Directory Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Install Root Certificate                        		DCSync134
                        System Information Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Software Packing                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                        DLL Side-Loading                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        file.exe33%VirustotalBrowse
                        file.exe32%ReversingLabs
                        file.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        https://api.ip.sb/ip0%URL Reputationsafe
                        http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                        http://tempuri.org/0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id15V0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id12Response2%VirustotalBrowse
                        http://tempuri.org/Entity/Id14ResponseD2%VirustotalBrowse
                        http://tempuri.org/Entity/Id23ResponseD1%VirustotalBrowse
                        http://tempuri.org/Entity/Id21Response4%VirustotalBrowse
                        http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                        http://tempuri.org/2%VirustotalBrowse
                        http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id91%VirustotalBrowse
                        http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id2Response2%VirustotalBrowse
                        http://ns.exif/10%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id15V1%VirustotalBrowse
                        http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id17ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id8ResponseD0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id14ResponseDRegAsm.exe, 00000004.00000002.2206870926.0000000002BAD000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 2%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://tempuri.org/Entity/Id23ResponseDRegAsm.exe, 00000004.00000002.2206870926.0000000002D90000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 1%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id12ResponseRegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 2%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://tempuri.org/RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 2%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://tempuri.org/Entity/Id2ResponseRegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 2%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://tempuri.org/Entity/Id15VRegAsm.exe, 00000004.00000002.2206870926.0000000002BE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 1%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id21ResponseRegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 4%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id9RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id8RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id6ResponseDRegAsm.exe, 00000004.00000002.2206870926.0000000002BAD000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id5RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id4RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id7RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id6RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id19ResponseRegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://ns.exif/1RegAsm.exe, 00000004.00000002.2205622101.0000000000C0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://tempuri.org/Entity/Id13ResponseDRegAsm.exe, 00000004.00000002.2206870926.0000000002D5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsatRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://tempuri.org/Entity/Id15ResponseRegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://tempuri.org/Entity/Id5ResponseDRegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://tempuri.org/Entity/Id6ResponseRegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://api.ip.sb/ipfile.exe, file.exe, 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000004.00000002.2204664213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2004/04/scRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id1ResponseDRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id9ResponseRegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://tempuri.org/Entity/Id20RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://tempuri.org/Entity/Id21RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://tempuri.org/Entity/Id22RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id23RegAsm.exe, 00000004.00000002.2206870926.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id24RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://tempuri.org/Entity/Id1ResponseRegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://tempuri.org/Entity/Id21ResponseDRegAsm.exe, 00000004.00000002.2206870926.0000000002D80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/04/trustRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://tempuri.org/Entity/Id10RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id11RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id10ResponseDRegAsm.exe, 00000004.00000002.2206870926.0000000002D80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id12RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id16ResponseRegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id13RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id14RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id15RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id16RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id17RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id18RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id5ResponseRegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id19RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id15ResponseDRegAsm.exe, 00000004.00000002.2206870926.0000000002D5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id10ResponseRegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id11ResponseDRegAsm.exe, 00000004.00000002.2206870926.0000000002B56000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id8ResponseRegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp93RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0RegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2006/02/addressingidentityRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/Id17ResponseDRegAsm.exe, 00000004.00000002.2206870926.0000000002D80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://schemas.xmlsoap.org/soap/envelope/RegAsm.exe, 00000004.00000002.2206870926.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/Id8ResponseDRegAsm.exe, 00000004.00000002.2206870926.0000000002D5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyRegAsm.exe, 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high

                                                                                                                            World Map of Contacted IPs

                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs

                                                                                                                            Public IPs

                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            5.42.65.96
                                                                                                                            		unknownRussian Federation
                                                                                                                            		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUtrue

                                                                                                                            General Information

                                                                                                                            Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                            Analysis ID:1432174
                                                                                                                            Start date and time:2024-04-26 16:28:06 +02:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 5m 37s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:full
                                                                                                                            Cookbook file name:default.jbs
                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                            Number of analysed new started processes analysed:7
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:0
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:file.exe
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@6/5@0/1
                                                                                                                            EGA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            HCA Information:
                                                                                                                            • Successful, ratio: 95%
                                                                                                                            • Number of executed functions: 113
                                                                                                                            • Number of non-executed functions: 63
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                            Warnings

                                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                            Simulations

                                                                                                                            Behavior and APIs

                                                                                                                            TimeTypeDescription
                                                                                                                            16:29:06API Interceptor44x Sleep call for process: RegAsm.exe modified

                                                                                                                            Joe Sandbox View / Context

                                                                                                                            IPs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            5.42.65.96file.exeGet hashmaliciousRedLineBrowse
                                                                                                                              file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                file.exeGet hashmaliciousRedLineBrowse

                                                                                                                                  Domains

                                                                                                                                  No context

                                                                                                                                  ASNs

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUfile.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                  • 45.15.156.9
                                                                                                                                  file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                  • 45.15.156.9
                                                                                                                                  j1zkOQTx4q.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                  • 5.42.66.10
                                                                                                                                  f6FauZ2CEz.exeGet hashmaliciousRedLineBrowse
                                                                                                                                  • 5.42.92.179
                                                                                                                                  file.exeGet hashmaliciousPureLog Stealer, RisePro Stealer, zgRATBrowse
                                                                                                                                  • 45.15.156.9
                                                                                                                                  file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                  • 5.42.65.96
                                                                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 5.42.66.10
                                                                                                                                  file.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                                                  • 5.42.66.10
                                                                                                                                  file.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Vidar, zgRATBrowse
                                                                                                                                  • 5.42.66.10
                                                                                                                                  file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                  • 5.42.65.96

                                                                                                                                  JA3 Fingerprints

                                                                                                                                  No context

                                                                                                                                  Dropped Files

                                                                                                                                  No context

                                                                                                                                  Created / dropped Files

                                                                                                                                  C:\Users\Public\Desktop\Google Chrome.lnk

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 13:16:55 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2104
                                                                                                                                  Entropy (8bit):3.450987436011712
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:48:8S5l2dfTXdARYrnvPdAKRkdAGdAKRFdAKRE:8S5lO7
                                                                                                                                  MD5:59C0399F8AFEF9292B3142B84076915B
                                                                                                                                  SHA1:C5D5A4DF758A6954893920E6DBBE8DE40D132155
                                                                                                                                  SHA-256:606357DF37CD552F9B24251A9FA54C682939615DD15205BF8502B8A2C8EB8F67
                                                                                                                                  SHA-512:2E5C97870B346FE731B9E098FDFDA6C45DA416761CAB7CB17C7339F27CD15DB7FEEF3F16BDB3A55660B7B886C213F5718E0C49E6F4F287D392661759785C5C07
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:low
                                                                                                                                  Preview:L..................F.@.. ......,......m.......q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IDW.r....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWUl....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWUl....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWUl..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDW.r..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):3274
                                                                                                                                  Entropy (8bit):5.3318368586986695
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlq0
                                                                                                                                  MD5:0C1110E9B7BBBCB651A0B7568D796468
                                                                                                                                  SHA1:7AEE00407EE27655FFF0ADFBC96CF7FAD9610AAA
                                                                                                                                  SHA-256:112E21404A85963FB5DF8388F97429D6A46E9D4663435CC86267C563C0951FA2
                                                                                                                                  SHA-512:46E37552764B4E61006AB99F8C542D55B2418668B097D3C6647D306604C3D7CA3FAF34F8B4121D94B0E7168295B2ABEB7C21C3B96F37208943537B887BC81590
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                  C:\Users\user\AppData\Local\Temp\TmpF89F.tmp

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2662
                                                                                                                                  Entropy (8bit):7.8230547059446645
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                  MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                  SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                  SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                  SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                  Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                  C:\Users\user\AppData\Local\Temp\TmpF8AF.tmp

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2662
                                                                                                                                  Entropy (8bit):7.8230547059446645
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                  MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                  SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                  SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                  SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                  Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2251
                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3::
                                                                                                                                  MD5:0158FE9CEAD91D1B027B795984737614
                                                                                                                                  SHA1:B41A11F909A7BDF1115088790A5680AC4E23031B
                                                                                                                                  SHA-256:513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
                                                                                                                                  SHA-512:C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                  Static File Info

                                                                                                                                  General

                                                                                                                                  File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                  Entropy (8bit):7.672166470720766
                                                                                                                                  TrID:
                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                  File name:file.exe
                                                                                                                                  File size:507'904 bytes
                                                                                                                                  MD5:ea8b223863892068e3cfab601caf53d4
                                                                                                                                  SHA1:d94660b1fc88c44fddf2b330e9628b38c9e7d8d0
                                                                                                                                  SHA256:4ed2368fc3e3030a3da9930cb430b80d4611baf0a0451efe3f9e02b25ccd493d
                                                                                                                                  SHA512:c2e615cf996015fe3eb04ebdb345e1cad04e73850e77bc9d9ee3dee919cf10f3bb8d323d98c9d02b80cc1687cb69f8e82a5ec350ba3ef73fbdccb2be3d43d11a
                                                                                                                                  SSDEEP:12288:1dy0t/5TvliKBBV06Eqj7o38LjxixclXtKIN2rYoPlD6y:f/5jl7mEoKt9N2FR6
                                                                                                                                  TLSH:09B4F105B5C0C073D572293106F4EBB49E3DF9714F61AE9FA7940BAF4F312928225A6B
                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................... ....... ..._... ....... ...............1.......1.......1.................s.............Rich............PE..L..

                                                                                                                                  File Icon

                                                                                                                                  Icon Hash:00928e8e8686b000

                                                                                                                                  Static PE Info

                                                                                                                                  General

                                                                                                                                  Entrypoint:0x4068ee
                                                                                                                                  Entrypoint Section:.text
                                                                                                                                  Digitally signed:false
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  Subsystem:windows cui
                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                  Time Stamp:0x662BB112 [Fri Apr 26 13:50:10 2024 UTC]
                                                                                                                                  TLS Callbacks:
                                                                                                                                  CLR (.Net) Version:
                                                                                                                                  OS Version Major:6
                                                                                                                                  OS Version Minor:0
                                                                                                                                  File Version Major:6
                                                                                                                                  File Version Minor:0
                                                                                                                                  Subsystem Version Major:6
                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                  Import Hash:17c87c2ceba06a933957d5cd67f1cd22

                                                                                                                                  Entrypoint Preview

                                                                                                                                  Instruction
                                                                                                                                  call 00007F3B68BC2D55h
                                                                                                                                  jmp 00007F3B68BC24E9h
                                                                                                                                  push ebp
                                                                                                                                  mov ebp, esp
                                                                                                                                  mov eax, dword ptr [ebp+08h]
                                                                                                                                  push esi
                                                                                                                                  mov ecx, dword ptr [eax+3Ch]
                                                                                                                                  add ecx, eax
                                                                                                                                  movzx eax, word ptr [ecx+14h]
                                                                                                                                  lea edx, dword ptr [ecx+18h]
                                                                                                                                  add edx, eax
                                                                                                                                  movzx eax, word ptr [ecx+06h]
                                                                                                                                  imul esi, eax, 28h
                                                                                                                                  add esi, edx
                                                                                                                                  cmp edx, esi
                                                                                                                                  je 00007F3B68BC268Bh
                                                                                                                                  mov ecx, dword ptr [ebp+0Ch]
                                                                                                                                  cmp ecx, dword ptr [edx+0Ch]
                                                                                                                                  jc 00007F3B68BC267Ch
                                                                                                                                  mov eax, dword ptr [edx+08h]
                                                                                                                                  add eax, dword ptr [edx+0Ch]
                                                                                                                                  cmp ecx, eax
                                                                                                                                  jc 00007F3B68BC267Eh
                                                                                                                                  add edx, 28h
                                                                                                                                  cmp edx, esi
                                                                                                                                  jne 00007F3B68BC265Ch
                                                                                                                                  xor eax, eax
                                                                                                                                  pop esi
                                                                                                                                  pop ebp
                                                                                                                                  ret
                                                                                                                                  mov eax, edx
                                                                                                                                  jmp 00007F3B68BC266Bh
                                                                                                                                  push esi
                                                                                                                                  call 00007F3B68BC3038h
                                                                                                                                  test eax, eax
                                                                                                                                  je 00007F3B68BC2692h
                                                                                                                                  mov eax, dword ptr fs:[00000018h]
                                                                                                                                  mov esi, 00430428h
                                                                                                                                  mov edx, dword ptr [eax+04h]
                                                                                                                                  jmp 00007F3B68BC2676h
                                                                                                                                  cmp edx, eax
                                                                                                                                  je 00007F3B68BC2682h
                                                                                                                                  xor eax, eax
                                                                                                                                  mov ecx, edx
                                                                                                                                  lock cmpxchg dword ptr [esi], ecx
                                                                                                                                  test eax, eax
                                                                                                                                  jne 00007F3B68BC2662h
                                                                                                                                  xor al, al
                                                                                                                                  pop esi
                                                                                                                                  ret
                                                                                                                                  mov al, 01h
                                                                                                                                  pop esi
                                                                                                                                  ret
                                                                                                                                  push ebp
                                                                                                                                  mov ebp, esp
                                                                                                                                  cmp dword ptr [ebp+08h], 00000000h
                                                                                                                                  jne 00007F3B68BC2679h
                                                                                                                                  mov byte ptr [0043042Ch], 00000001h
                                                                                                                                  call 00007F3B68BC286Eh
                                                                                                                                  call 00007F3B68BC55CBh
                                                                                                                                  test al, al
                                                                                                                                  jne 00007F3B68BC2676h
                                                                                                                                  xor al, al
                                                                                                                                  pop ebp
                                                                                                                                  ret
                                                                                                                                  call 00007F3B68BCEDE7h
                                                                                                                                  test al, al
                                                                                                                                  jne 00007F3B68BC267Ch
                                                                                                                                  push 00000000h
                                                                                                                                  call 00007F3B68BC55D2h
                                                                                                                                  pop ecx
                                                                                                                                  jmp 00007F3B68BC265Bh
                                                                                                                                  mov al, 01h
                                                                                                                                  pop ebp
                                                                                                                                  ret
                                                                                                                                  push ebp
                                                                                                                                  mov ebp, esp
                                                                                                                                  cmp byte ptr [0043042Dh], 00000000h
                                                                                                                                  je 00007F3B68BC2676h
                                                                                                                                  mov al, 01h

                                                                                                                                  Data Directories

                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x2d8b40x28.rdata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x7e0000x1e0.rsrc
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x7f0000x1b74.reloc
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x2bd480x1c.rdata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2bc880x40.rdata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x240000x158.rdata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                  Sections

                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                  .text0x10000x21f900x22000f14c05a6dca219bb2c84204cace7d040False0.5812198414522058data6.636378879087742IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                  .bss0x230000x4ca0x600901a9dc1427cbd3f44b14848ccca4ba5False0.6354166666666666data5.637778724996146IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                  .rdata0x240000xa0780xa2007bde77e9c6633ef6b87313419e06a57aFalse0.4343412422839506data4.962790929317122IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                  .data0x2f0000x1f2c0x1000e43a2fd03de3710737c2e6df04231506False0.1962890625data3.1279241686690304IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                  .bsS0x310000x4c4ec0x4c600aa88fc301f8be989f00b54a081bcb049False0.9981459697217676OpenPGP Secret Key7.999204116583416IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                  .rsrc0x7e0000x1e00x200dbe1515e25b29d6c778cce075f0cb524False0.53125data4.7176788329467545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                  .reloc0x7f0000x1b740x1c001b1abb7b06860478dc660f44dafe9d9cFalse0.75data6.50238350002894IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                  Resources

                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                  RT_MANIFEST0x7e0600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                                                  Imports

                                                                                                                                  DLLImport
                                                                                                                                  KERNEL32.dllSleep, VirtualProtect, FreeConsole, CloseHandle, WaitForSingleObjectEx, GetCurrentThreadId, GetExitCodeThread, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, QueryPerformanceCounter, ReleaseSRWLockExclusive, WakeAllConditionVariable, EncodePointer, DecodePointer, LCMapStringEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, WriteConsoleW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, CreateThread, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, GetFileType, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, ReadConsoleW, HeapSize, CreateFileW

                                                                                                                                  Possible Origin

                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                  EnglishUnited States

                                                                                                                                  Network Behavior

                                                                                                                                  Snort IDS Alerts

                                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                  04/26/24-16:28:58.476425TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response28380497045.42.65.96192.168.2.5
                                                                                                                                  04/26/24-16:29:13.331288TCP2043231ET TROJAN Redline Stealer TCP CnC Activity4970428380192.168.2.55.42.65.96
                                                                                                                                  04/26/24-16:28:58.227042TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)4970428380192.168.2.55.42.65.96
                                                                                                                                  04/26/24-16:29:03.773464TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)28380497045.42.65.96192.168.2.5

                                                                                                                                  Network Port Distribution

                                                                                                                                  TCP Packets

                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                  Apr 26, 2024 16:28:57.570960045 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:28:57.818397045 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:28:57.818502903 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:28:57.894654036 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:28:58.142633915 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:28:58.206533909 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:28:58.227041960 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:28:58.476424932 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:28:58.706558943 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:03.522583961 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:03.773463964 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:03.773493052 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:03.773631096 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:03.773650885 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:03.773673058 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:03.773684978 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:03.773726940 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:03.815903902 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:03.906419039 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:04.155378103 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:04.209872961 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:04.236193895 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:04.484175920 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:04.484225035 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:04.484325886 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:04.484399080 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:04.484544992 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:04.484608889 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:04.732038021 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:04.732126951 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:04.732240915 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:04.732280016 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:04.732306004 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:04.732323885 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:04.732336044 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:04.732381105 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:04.732582092 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:04.732639074 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:04.732738972 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:04.732793093 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:04.733208895 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:04.733314991 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:04.979793072 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:04.979878902 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:04.979897022 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:04.980035067 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:04.980117083 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:04.980133057 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:04.980222940 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:04.980508089 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:04.980739117 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:04.980855942 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:04.989357948 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:05.227716923 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.227891922 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:05.228352070 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.230808973 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.231471062 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.231487036 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.231504917 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.231518984 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.231534004 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.231549978 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.231564999 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.231580019 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.231595039 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.231611967 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.231626987 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.231642008 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.236129999 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:05.236224890 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:05.238785982 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.238806009 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.238931894 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.239074945 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.239384890 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.239701033 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.239716053 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.239731073 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.239993095 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.240307093 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.240597010 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.240885019 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.241504908 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.241520882 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.241535902 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.241549969 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.241564989 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.281591892 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.478866100 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.483835936 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.483943939 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.484019995 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.484035015 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.484468937 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.484509945 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.484714031 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.484932899 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.485095024 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.485249043 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.485663891 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.485719919 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.485940933 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.486152887 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.486306906 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.486635923 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.486713886 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.486932039 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.487188101 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.487783909 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.487982988 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.488234043 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.497663021 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:05.497744083 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:05.529681921 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.558732986 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:05.558821917 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:05.745501995 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.745562077 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.745771885 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.745807886 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.745901108 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.746395111 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.746849060 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.746915102 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.746948957 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.746982098 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.747015953 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.747046947 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.747240067 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.747370958 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.747575998 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.747833014 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.748171091 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.748364925 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.748490095 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.748522043 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.748836994 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.748869896 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.749013901 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.749393940 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.749425888 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.806379080 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.806499958 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.806574106 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.806792021 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.806838036 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.806977987 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.807188988 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.807339907 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.807539940 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.808171034 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.808274031 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.808326960 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.808413029 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.808445930 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.808589935 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.808980942 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.809355974 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.809686899 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.809806108 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.809987068 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.810281038 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:05.826842070 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:05.826942921 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:05.826942921 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:05.826989889 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:05.827028036 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:06.074338913 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.074697971 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.074716091 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.074810982 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.074947119 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.075191975 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.075207949 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.075398922 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.075558901 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.075959921 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.076035976 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.076189041 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.076296091 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.076442957 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.076554060 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.076811075 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.077044964 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.077138901 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.077312946 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.077459097 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.077661991 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.077760935 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.077948093 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.078124046 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.078289986 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.078471899 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.078679085 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.079037905 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.079128027 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.079305887 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.079464912 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.079673052 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.079823971 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.079956055 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.080172062 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.080708027 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.153618097 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:06.153744936 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:06.153744936 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:06.153794050 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:06.153856039 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:06.401278019 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.401335001 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.401434898 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.401527882 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.401784897 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.401890993 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.402097940 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.402132034 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.402240992 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.402442932 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.402631998 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.402827978 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.402987957 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.403198957 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.403225899 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:06.403295040 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.403484106 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.403517008 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.403661013 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.403872967 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.403964996 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.404081106 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.650646925 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.651019096 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.651087999 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.651428938 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.651496887 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.651794910 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.651938915 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.652013063 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.653803110 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.706568003 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:06.732177019 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:06.979613066 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.979640961 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.979759932 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.979911089 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:06.981028080 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:07.034692049 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:07.916361094 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:08.166668892 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:08.222152948 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:08.227823019 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:08.476027966 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:08.490236998 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:08.737517118 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:08.737848043 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:08.737883091 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:08.738697052 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:08.784646034 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:08.869728088 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:09.120930910 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:09.126074076 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:09.375498056 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:09.381098032 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:09.629509926 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:09.675282955 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:10.640291929 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:10.894629955 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:10.897517920 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:11.147380114 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:11.149955988 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:11.398586035 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:11.400702000 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:11.648658037 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:11.655749083 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:11.904253960 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:11.906090975 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:12.154470921 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:12.157423019 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:12.406685114 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:12.407926083 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:12.656384945 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:12.706535101 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:12.833216906 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:13.081639051 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:13.082210064 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:13.330318928 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:13.331288099 CEST4970428380192.168.2.55.42.65.96
                                                                                                                                  Apr 26, 2024 16:29:13.582890034 CEST28380497045.42.65.96192.168.2.5
                                                                                                                                  Apr 26, 2024 16:29:13.617007017 CEST4970428380192.168.2.55.42.65.96

                                                                                                                                  Statistics

                                                                                                                                  CPU Usage

                                                                                                                                  Click to jump to process

                                                                                                                                  Memory Usage

                                                                                                                                  Click to jump to process

                                                                                                                                  High Level Behavior Distribution

                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                  Behavior

                                                                                                                                  Click to jump to process

                                                                                                                                  System Behavior

                                                                                                                                  General

                                                                                                                                  Target ID:0
                                                                                                                                  Start time:16:28:52
                                                                                                                                  Start date:26/04/2024
                                                                                                                                  Path:C:\Users\user\Desktop\file.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                                  Imagebase:0x250000
                                                                                                                                  File size:507'904 bytes
                                                                                                                                  MD5 hash:EA8B223863892068E3CFAB601CAF53D4
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                  Reputation:low
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:1
                                                                                                                                  Start time:16:28:53
                                                                                                                                  Start date:26/04/2024
                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                                  File size:862'208 bytes
                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:3
                                                                                                                                  Start time:16:28:53
                                                                                                                                  Start date:26/04/2024
                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                  Imagebase:0x440000
                                                                                                                                  File size:65'440 bytes
                                                                                                                                  MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:4
                                                                                                                                  Start time:16:28:53
                                                                                                                                  Start date:26/04/2024
                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                  Imagebase:0x480000
                                                                                                                                  File size:65'440 bytes
                                                                                                                                  MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.2204664213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.2206870926.00000000029C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2206870926.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  Disassembly

                                                                                                                                  Reset < >

                                                                                                                                    Execution Graph

                                                                                                                                    Execution Coverage:4.3%
                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                    Signature Coverage:2.5%
                                                                                                                                    Total number of Nodes:2000
                                                                                                                                    Total number of Limit Nodes:51
                                                                                                                                    execution_graph 19566 251027 19569 256b34 19566->19569 19572 256b07 19569->19572 19573 256b16 19572->19573 19574 256b1d 19572->19574 19578 262f5c 19573->19578 19581 262fd9 19574->19581 19577 25102c 19579 262fd9 44 API calls 19578->19579 19580 262f6e 19579->19580 19580->19577 19584 262d25 19581->19584 19585 262d31 ___scrt_is_nonwritable_in_current_image 19584->19585 19592 25df0d EnterCriticalSection 19585->19592 19587 262d3f 19593 262d80 19587->19593 19589 262d4c 19603 262d74 19589->19603 19592->19587 19594 262d9b 19593->19594 19595 262e0e std::_Locinfo::_Locinfo_ctor 19593->19595 19594->19595 19596 262dee 19594->19596 19606 26d2fb 19594->19606 19595->19589 19596->19595 19598 26d2fb 44 API calls 19596->19598 19600 262e04 19598->19600 19599 262de4 19601 2648b6 ___free_lconv_mon 14 API calls 19599->19601 19602 2648b6 ___free_lconv_mon 14 API calls 19600->19602 19601->19596 19602->19595 19634 25df55 LeaveCriticalSection 19603->19634 19605 262d5d 19605->19577 19607 26d323 19606->19607 19608 26d308 19606->19608 19610 26d332 19607->19610 19615 270a2f 19607->19615 19608->19607 19609 26d314 19608->19609 19611 25e84d __dosmaperr 14 API calls 19609->19611 19622 2694ce 19610->19622 19614 26d319 codecvt 19611->19614 19614->19599 19616 270a4f HeapSize 19615->19616 19617 270a3a 19615->19617 19616->19610 19618 25e84d __dosmaperr 14 API calls 19617->19618 19619 270a3f 19618->19619 19620 25afcf __strnicoll 41 API calls 19619->19620 19621 270a4a 19620->19621 19621->19610 19623 2694e6 19622->19623 19624 2694db 19622->19624 19626 2694ee 19623->19626 19632 2694f7 _unexpected 19623->19632 19625 264ae0 __strnicoll 15 API calls 19624->19625 19631 2694e3 19625->19631 19629 2648b6 ___free_lconv_mon 14 API calls 19626->19629 19627 269521 HeapReAlloc 19627->19631 19627->19632 19628 2694fc 19630 25e84d __dosmaperr 14 API calls 19628->19630 19629->19631 19630->19631 19631->19614 19632->19627 19632->19628 19633 26090c codecvt 2 API calls 19632->19633 19633->19632 19634->19605 22157 26192e 22160 2615fa 22157->22160 22161 261606 ___scrt_is_nonwritable_in_current_image 22160->22161 22168 25df0d EnterCriticalSection 22161->22168 22163 26163e 22173 26165c 22163->22173 22164 261610 22164->22163 22169 26c056 22164->22169 22168->22164 22170 26c064 __Getctype 22169->22170 22172 26c071 22169->22172 22171 26bd89 __Getctype 14 API calls 22170->22171 22170->22172 22171->22172 22172->22164 22176 25df55 LeaveCriticalSection 22173->22176 22175 26164a 22176->22175 19644 255e36 19645 255e42 __EH_prolog3_GS 19644->19645 19647 255e91 19645->19647 19651 255e59 19645->19651 19655 255eab 19645->19655 19646 2565d6 std::_Throw_Cpp_error 5 API calls 19648 255f75 19646->19648 19658 254f0e 19647->19658 19651->19646 19653 2533ef std::_Throw_Cpp_error 41 API calls 19653->19651 19654 255f5a 19654->19653 19655->19654 19657 255f95 19655->19657 19661 254134 19655->19661 19665 25f584 19655->19665 19657->19654 19685 260034 19657->19685 19698 25eb1c 19658->19698 19662 254140 19661->19662 19663 25415b 19661->19663 19662->19655 19782 251b75 19663->19782 19666 25f590 ___scrt_is_nonwritable_in_current_image 19665->19666 19667 25f5b2 19666->19667 19668 25f59a 19666->19668 19791 25e984 EnterCriticalSection 19667->19791 19669 25e84d __dosmaperr 14 API calls 19668->19669 19671 25f59f 19669->19671 19673 25afcf __strnicoll 41 API calls 19671->19673 19672 25f5bc 19674 25f658 19672->19674 19676 265986 _Ungetc 41 API calls 19672->19676 19684 25f5aa 19673->19684 19792 25f53d 19674->19792 19679 25f5d9 19676->19679 19677 25f65e 19799 25f688 19677->19799 19679->19674 19680 25f630 19679->19680 19681 25e84d __dosmaperr 14 API calls 19680->19681 19682 25f635 19681->19682 19683 25afcf __strnicoll 41 API calls 19682->19683 19683->19684 19684->19655 19686 260040 ___scrt_is_nonwritable_in_current_image 19685->19686 19687 260047 19686->19687 19688 26005c 19686->19688 19690 25e84d __dosmaperr 14 API calls 19687->19690 19803 25e984 EnterCriticalSection 19688->19803 19692 26004c 19690->19692 19691 260066 19804 25ff3b 19691->19804 19694 25afcf __strnicoll 41 API calls 19692->19694 19696 260057 19694->19696 19696->19657 19699 25eb28 ___scrt_is_nonwritable_in_current_image 19698->19699 19700 25eb46 19699->19700 19701 25eb2f 19699->19701 19711 25e984 EnterCriticalSection 19700->19711 19703 25e84d __dosmaperr 14 API calls 19701->19703 19705 25eb34 19703->19705 19704 25eb52 19712 25e9ac 19704->19712 19707 25afcf __strnicoll 41 API calls 19705->19707 19708 254f19 19707->19708 19708->19651 19709 25eb5d 19746 25eb8b 19709->19746 19711->19704 19713 25ea2f 19712->19713 19714 25e9c9 19712->19714 19717 265986 _Ungetc 41 API calls 19713->19717 19745 25ea26 19713->19745 19715 265986 _Ungetc 41 API calls 19714->19715 19716 25e9cf 19715->19716 19718 25e9f2 19716->19718 19721 265986 _Ungetc 41 API calls 19716->19721 19719 25ea44 19717->19719 19718->19713 19731 25ea0d 19718->19731 19720 25ea67 19719->19720 19722 265986 _Ungetc 41 API calls 19719->19722 19725 25f579 41 API calls 19720->19725 19720->19745 19723 25e9db 19721->19723 19724 25ea50 19722->19724 19723->19718 19726 265986 _Ungetc 41 API calls 19723->19726 19724->19720 19730 265986 _Ungetc 41 API calls 19724->19730 19728 25ea87 19725->19728 19729 25e9e7 19726->19729 19734 25e25f __Getctype 41 API calls 19728->19734 19728->19745 19732 265986 _Ungetc 41 API calls 19729->19732 19733 25ea5c 19730->19733 19731->19745 19749 25f579 19731->19749 19732->19718 19735 265986 _Ungetc 41 API calls 19733->19735 19736 25ea9f 19734->19736 19735->19720 19737 25eac9 19736->19737 19738 25f579 41 API calls 19736->19738 19756 26594f 19737->19756 19740 25eab0 19738->19740 19740->19737 19742 25eab6 19740->19742 19743 260034 43 API calls 19742->19743 19743->19745 19744 25e84d __dosmaperr 14 API calls 19744->19745 19745->19709 19781 25e998 LeaveCriticalSection 19746->19781 19748 25eb91 19748->19708 19750 25f53d 19749->19750 19751 25f55e 19750->19751 19752 25e84d __dosmaperr 14 API calls 19750->19752 19751->19731 19753 25f54e 19752->19753 19754 25afcf __strnicoll 41 API calls 19753->19754 19755 25f559 19754->19755 19755->19731 19757 265962 _Fputc 19756->19757 19762 26581c 19757->19762 19760 25ad0b _Fputc 41 API calls 19761 25eadd 19760->19761 19761->19744 19761->19745 19764 265830 19762->19764 19772 265840 19762->19772 19763 265865 19766 265876 19763->19766 19767 265899 19763->19767 19764->19763 19765 25baf0 _Fputc 41 API calls 19764->19765 19764->19772 19765->19763 19774 26f0e6 19766->19774 19769 265915 19767->19769 19770 2658c1 19767->19770 19767->19772 19771 269544 __strnicoll MultiByteToWideChar 19769->19771 19770->19772 19773 269544 __strnicoll MultiByteToWideChar 19770->19773 19771->19772 19772->19760 19773->19772 19777 270d83 19774->19777 19778 270dae _Fputc 19777->19778 19779 2565b4 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 19778->19779 19780 26f101 19779->19780 19780->19772 19781->19748 19783 251b8e std::_Throw_Cpp_error 19782->19783 19784 251bfa 19782->19784 19787 25116b std::_Throw_Cpp_error 43 API calls 19783->19787 19785 25343e std::_Throw_Cpp_error 43 API calls 19784->19785 19786 251bff 19785->19786 19788 251bad 19787->19788 19789 2513c0 _Deallocate 41 API calls 19788->19789 19790 251bdf 19788->19790 19789->19790 19790->19662 19791->19672 19793 25f549 19792->19793 19796 25f55e 19792->19796 19794 25e84d __dosmaperr 14 API calls 19793->19794 19795 25f54e 19794->19795 19797 25afcf __strnicoll 41 API calls 19795->19797 19796->19677 19798 25f559 19797->19798 19798->19677 19802 25e998 LeaveCriticalSection 19799->19802 19801 25f68e 19801->19684 19802->19801 19803->19691 19805 25ff53 19804->19805 19807 25ffc3 19804->19807 19806 265986 _Ungetc 41 API calls 19805->19806 19808 25ff59 19806->19808 19809 267dfd _Ungetc 14 API calls 19807->19809 19812 25ffbb 19807->19812 19808->19807 19810 25ffab 19808->19810 19809->19812 19811 25e84d __dosmaperr 14 API calls 19810->19811 19813 25ffb0 19811->19813 19815 26009f 19812->19815 19814 25afcf __strnicoll 41 API calls 19813->19814 19814->19812 19818 25e998 LeaveCriticalSection 19815->19818 19817 2600a5 19817->19696 19818->19817 22299 25e938 22300 25f4df ___scrt_uninitialize_crt 70 API calls 22299->22300 22301 25e940 22300->22301 22309 26756d 22301->22309 22303 25e945 22304 267618 14 API calls 22303->22304 22305 25e954 DeleteCriticalSection 22304->22305 22305->22303 22306 25e96f 22305->22306 22307 2648b6 ___free_lconv_mon 14 API calls 22306->22307 22308 25e97a 22307->22308 22310 267579 ___scrt_is_nonwritable_in_current_image 22309->22310 22319 25df0d EnterCriticalSection 22310->22319 22312 2675f0 22320 26760f 22312->22320 22314 267584 22314->22312 22316 2675c4 DeleteCriticalSection 22314->22316 22318 25f1a4 71 API calls 22314->22318 22317 2648b6 ___free_lconv_mon 14 API calls 22316->22317 22317->22314 22318->22314 22319->22314 22323 25df55 LeaveCriticalSection 22320->22323 22322 2675fc 22322->22303 22323->22322 19875 255c07 19876 255c1b 19875->19876 19882 255c76 19876->19882 19883 25541e 19876->19883 19879 255c63 19879->19882 19895 25f690 19879->19895 19886 255439 19883->19886 19887 25548a 19883->19887 19884 2565b4 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 19885 2554a2 19884->19885 19885->19879 19885->19882 19889 25fa01 19885->19889 19886->19887 19888 25fd03 69 API calls 19886->19888 19887->19884 19888->19887 19890 25fa14 _Fputc 19889->19890 19909 25f7a0 19890->19909 19893 25ad0b _Fputc 41 API calls 19894 25fa36 19893->19894 19894->19879 19896 25f6b0 19895->19896 19897 25f69b 19895->19897 19899 25f6cd 19896->19899 19900 25f6b8 19896->19900 19898 25e84d __dosmaperr 14 API calls 19897->19898 19901 25f6a0 19898->19901 19947 269228 19899->19947 19902 25e84d __dosmaperr 14 API calls 19900->19902 19904 25afcf __strnicoll 41 API calls 19901->19904 19905 25f6bd 19902->19905 19906 25f6ab 19904->19906 19907 25afcf __strnicoll 41 API calls 19905->19907 19906->19882 19908 25f6c8 19907->19908 19908->19882 19910 25f7ac ___scrt_is_nonwritable_in_current_image 19909->19910 19911 25f7b2 19910->19911 19913 25f7e6 19910->19913 19912 25af52 _Fputc 41 API calls 19911->19912 19914 25f7cd 19912->19914 19920 25e984 EnterCriticalSection 19913->19920 19914->19893 19916 25f7f2 19921 25f915 19916->19921 19918 25f809 19930 25f832 19918->19930 19920->19916 19922 25f928 19921->19922 19923 25f93b 19921->19923 19922->19918 19933 25f83c 19923->19933 19925 25f9ec 19925->19918 19926 25f95e 19926->19925 19927 25f411 ___scrt_uninitialize_crt 66 API calls 19926->19927 19928 25f98c 19927->19928 19937 2694b0 19928->19937 19946 25e998 LeaveCriticalSection 19930->19946 19932 25f83a 19932->19914 19934 25f8a5 19933->19934 19935 25f84d 19933->19935 19934->19926 19935->19934 19940 269470 19935->19940 19938 26938f ___scrt_uninitialize_crt 43 API calls 19937->19938 19939 2694c9 19938->19939 19939->19925 19941 269484 _Fputc 19940->19941 19942 26938f ___scrt_uninitialize_crt 43 API calls 19941->19942 19943 269499 19942->19943 19944 25ad0b _Fputc 41 API calls 19943->19944 19945 2694a8 19944->19945 19945->19934 19946->19932 19948 26923c _Fputc 19947->19948 19953 268c3d 19948->19953 19951 25ad0b _Fputc 41 API calls 19952 269256 19951->19952 19952->19908 19954 268c49 ___scrt_is_nonwritable_in_current_image 19953->19954 19955 268c73 19954->19955 19956 268c50 19954->19956 19964 25e984 EnterCriticalSection 19955->19964 19957 25af52 _Fputc 41 API calls 19956->19957 19959 268c69 19957->19959 19959->19951 19960 268c81 19965 268ccc 19960->19965 19962 268c90 19978 268cc2 19962->19978 19964->19960 19966 268d03 19965->19966 19967 268cdb 19965->19967 19969 265986 _Ungetc 41 API calls 19966->19969 19968 25af52 _Fputc 41 API calls 19967->19968 19977 268cf6 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19968->19977 19970 268d0c 19969->19970 19981 269452 19970->19981 19973 268db6 19984 26902c 19973->19984 19975 268dcd 19975->19977 19996 268e6d 19975->19996 19977->19962 20003 25e998 LeaveCriticalSection 19978->20003 19980 268cca 19980->19959 19982 269269 45 API calls 19981->19982 19983 268d2a 19982->19983 19983->19973 19983->19975 19983->19977 19985 26903b ___scrt_uninitialize_crt 19984->19985 19986 265986 _Ungetc 41 API calls 19985->19986 19987 269057 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19986->19987 19990 269452 45 API calls 19987->19990 19995 269063 19987->19995 19988 2565b4 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 19989 2691d5 19988->19989 19989->19977 19991 2690b7 19990->19991 19992 2690e9 ReadFile 19991->19992 19991->19995 19993 269110 19992->19993 19992->19995 19994 269452 45 API calls 19993->19994 19994->19995 19995->19988 19997 265986 _Ungetc 41 API calls 19996->19997 19999 268e80 19997->19999 19998 268ec8 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19998->19977 19999->19998 20000 269452 45 API calls 19999->20000 20001 268f1b 20000->20001 20001->19998 20002 269452 45 API calls 20001->20002 20002->19998 20003->19980 17521 252e67 17522 252e99 17521->17522 17553 251e1a 17522->17553 17524 252eef std::ios_base::_Ios_base_dtor 17568 252036 17524->17568 17528 252ff6 17531 252ffd 17528->17531 17532 25304c 17528->17532 17529 25309e 17533 253278 70 API calls 17529->17533 17530 252fba 17530->17528 17530->17529 17597 2532ad 17531->17597 17535 253278 70 API calls 17532->17535 17536 253047 17533->17536 17538 25306f 17535->17538 17586 253278 17536->17586 17542 2532ad 70 API calls 17538->17542 17540 253278 70 API calls 17540->17536 17541 252f3f std::ios_base::_Ios_base_dtor 17541->17530 17590 254039 17541->17590 17542->17536 17545 2532ad 70 API calls 17546 25312e 17545->17546 17601 2533ef 17546->17601 17552 253154 17616 254386 17553->17616 17557 251e3e 17559 251e51 17557->17559 17635 252a56 17557->17635 17628 2543de 17559->17628 17561 251e87 17561->17524 17563 251e8d 17648 253381 17563->17648 17564 251e68 17645 254903 17564->17645 18381 251323 17568->18381 17570 252057 17571 251f0c 17570->17571 17572 254386 std::_Lockit::_Lockit 7 API calls 17571->17572 17573 251f1d 17572->17573 17574 25260d int 9 API calls 17573->17574 17576 251f30 17574->17576 17575 251f43 17577 2543de std::_Lockit::~_Lockit 2 API calls 17575->17577 17576->17575 18423 252b18 17576->18423 17578 251f79 17577->17578 17578->17541 17581 251f7f 17584 253381 42 API calls 17581->17584 17582 251f5a 17583 254903 std::_Facet_Register 43 API calls 17582->17583 17583->17575 17585 251f84 17584->17585 17587 253283 17586->17587 17589 2530fe 17586->17589 17587->17589 18489 2524c4 17587->18489 17589->17545 17591 2540a4 17590->17591 17592 25404a 17590->17592 18669 253454 17591->18669 17593 254056 17592->17593 18660 251ae1 17592->18660 17593->17541 17598 253015 17597->17598 17599 2532b8 17597->17599 17598->17540 17599->17598 17600 2524c4 70 API calls 17599->17600 17600->17599 17602 25313a 17601->17602 17603 2533fa 17601->17603 17605 253415 17602->17605 17604 2513c0 _Deallocate 41 API calls 17603->17604 17604->17602 17606 253143 17605->17606 17607 25341e 17605->17607 17609 2565b4 17606->17609 17608 252911 41 API calls 17607->17608 17608->17606 17610 2565bd IsProcessorFeaturePresent 17609->17610 17611 2565bc 17609->17611 17613 256dc6 17610->17613 17611->17552 18700 256d89 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17613->18700 17615 256ea9 17615->17552 17617 254395 17616->17617 17619 25439c 17616->17619 17656 25df6c 17617->17656 17620 251e2b 17619->17620 17661 2562b1 EnterCriticalSection 17619->17661 17622 25260d 17620->17622 17623 25263d 17622->17623 17624 252619 17622->17624 17623->17557 17625 254386 std::_Lockit::_Lockit 7 API calls 17624->17625 17626 252623 17625->17626 17627 2543de std::_Lockit::~_Lockit 2 API calls 17626->17627 17627->17623 17629 2543e8 17628->17629 17630 25df7a 17628->17630 17631 2543fb 17629->17631 17728 2562bf LeaveCriticalSection 17629->17728 17729 25df55 LeaveCriticalSection 17630->17729 17631->17561 17634 25df81 17634->17561 17636 251e61 17635->17636 17637 252a6a 17635->17637 17636->17563 17636->17564 17637->17636 17730 256576 17637->17730 17639 252a76 codecvt 17640 252a9f 17639->17640 17746 25208f 17639->17746 17640->17636 17760 2523ed 17640->17760 17646 256576 codecvt 43 API calls 17645->17646 17647 25490e 17646->17647 17647->17559 17649 25338f codecvt 17648->17649 17650 25914c Concurrency::cancel_current_task RaiseException 17649->17650 17651 25339d 17650->17651 17652 25af1b __strnicoll 41 API calls 17651->17652 17653 25afee 17652->17653 17654 25affc _Deallocate 11 API calls 17653->17654 17655 25affb 17654->17655 17662 26648b 17656->17662 17661->17620 17683 265d91 17662->17683 17682 2664bd 17682->17682 17713 265f7a 17683->17713 17686 265dab 17687 265f7a std::_Locinfo::_Locinfo_ctor 5 API calls 17686->17687 17688 265dc1 17687->17688 17689 265dc5 17688->17689 17690 265f7a std::_Locinfo::_Locinfo_ctor 5 API calls 17689->17690 17691 265ddb 17690->17691 17692 265ddf 17691->17692 17693 265f7a std::_Locinfo::_Locinfo_ctor 5 API calls 17692->17693 17694 265df5 17693->17694 17695 265df9 17694->17695 17696 265f7a std::_Locinfo::_Locinfo_ctor 5 API calls 17695->17696 17697 265e0f 17696->17697 17698 265e13 17697->17698 17699 265f7a std::_Locinfo::_Locinfo_ctor 5 API calls 17698->17699 17700 265e29 17699->17700 17701 265e2d 17700->17701 17702 265f7a std::_Locinfo::_Locinfo_ctor 5 API calls 17701->17702 17703 265e43 17702->17703 17704 265e47 17703->17704 17705 265f7a std::_Locinfo::_Locinfo_ctor 5 API calls 17704->17705 17706 265e5d 17705->17706 17707 265e7b 17706->17707 17708 265f7a std::_Locinfo::_Locinfo_ctor 5 API calls 17707->17708 17709 265e91 17708->17709 17710 265e61 17709->17710 17711 265f7a std::_Locinfo::_Locinfo_ctor 5 API calls 17710->17711 17712 265e77 17711->17712 17712->17682 17714 265da7 17713->17714 17715 265fa8 17713->17715 17714->17686 17715->17714 17720 265eaf 17715->17720 17718 265fc2 GetProcAddress 17718->17714 17719 265fd2 std::_Locinfo::_Locinfo_ctor 17718->17719 17719->17714 17726 265ec0 ___vcrt_FlsGetValue 17720->17726 17721 265f56 17721->17714 17721->17718 17722 265ede LoadLibraryExW 17723 265f5d 17722->17723 17724 265ef9 GetLastError 17722->17724 17723->17721 17725 265f6f FreeLibrary 17723->17725 17724->17726 17725->17721 17726->17721 17726->17722 17727 265f2c LoadLibraryExW 17726->17727 17727->17723 17727->17726 17728->17631 17729->17634 17733 25657b 17730->17733 17732 256595 17732->17639 17733->17732 17735 256597 17733->17735 17775 25dfc7 17733->17775 17787 26090c 17733->17787 17736 253364 Concurrency::cancel_current_task 17735->17736 17737 2565a1 17735->17737 17784 25914c 17736->17784 17737->17737 17739 253380 codecvt 17740 25914c Concurrency::cancel_current_task RaiseException 17739->17740 17741 25339d 17740->17741 17790 25af1b 17741->17790 17745 25affb 17747 254386 std::_Lockit::_Lockit 7 API calls 17746->17747 17748 25209b 17747->17748 17749 2520dc 17748->17749 17750 2520c9 17748->17750 18117 254565 17749->18117 18108 254a33 17750->18108 18377 254a7e 17760->18377 17763 252406 17765 252419 17763->17765 17766 25b1fa ___vcrt_freefls@4 14 API calls 17763->17766 17764 25b1fa ___vcrt_freefls@4 14 API calls 17764->17763 17767 25242a 17765->17767 17768 25b1fa ___vcrt_freefls@4 14 API calls 17765->17768 17766->17765 17769 25243b 17767->17769 17770 25b1fa ___vcrt_freefls@4 14 API calls 17767->17770 17768->17767 17771 25244c 17769->17771 17772 25b1fa ___vcrt_freefls@4 14 API calls 17769->17772 17770->17769 17773 25b1fa ___vcrt_freefls@4 14 API calls 17771->17773 17774 25245d 17771->17774 17772->17771 17773->17774 17776 264ae0 17775->17776 17777 264b1e 17776->17777 17779 264b09 HeapAlloc 17776->17779 17782 264af2 _unexpected 17776->17782 17800 25e84d 17777->17800 17780 264b1c 17779->17780 17779->17782 17781 264b23 17780->17781 17781->17733 17782->17777 17782->17779 17783 26090c codecvt 2 API calls 17782->17783 17783->17782 17785 259166 17784->17785 17786 259193 RaiseException 17784->17786 17785->17786 17786->17739 17912 260939 17787->17912 17791 25af2d _Fputc 17790->17791 17923 25af52 17791->17923 17793 25af45 17934 25ad0b 17793->17934 17796 25affc IsProcessorFeaturePresent 17797 25b008 17796->17797 17798 25add3 _unexpected 8 API calls 17797->17798 17799 25b01d GetCurrentProcess TerminateProcess 17798->17799 17799->17745 17803 263751 GetLastError 17800->17803 17802 25e852 17802->17781 17804 263767 17803->17804 17805 26376d 17803->17805 17826 2661cb 17804->17826 17809 263771 SetLastError 17805->17809 17831 26620a 17805->17831 17809->17802 17813 2637a6 17815 26620a _unexpected 6 API calls 17813->17815 17814 2637b7 17816 26620a _unexpected 6 API calls 17814->17816 17818 2637b4 17815->17818 17817 2637c3 17816->17817 17819 2637c7 17817->17819 17820 2637de 17817->17820 17845 2648b6 17818->17845 17822 26620a _unexpected 6 API calls 17819->17822 17851 26342e 17820->17851 17822->17818 17827 265f7a std::_Locinfo::_Locinfo_ctor 5 API calls 17826->17827 17828 2661e7 17827->17828 17829 266202 TlsGetValue 17828->17829 17830 2661f0 17828->17830 17830->17805 17832 265f7a std::_Locinfo::_Locinfo_ctor 5 API calls 17831->17832 17833 266226 17832->17833 17834 266244 TlsSetValue 17833->17834 17835 263789 17833->17835 17835->17809 17836 264859 17835->17836 17837 264866 17836->17837 17838 2648a6 17837->17838 17839 264891 HeapAlloc 17837->17839 17843 26487a _unexpected 17837->17843 17841 25e84d __dosmaperr 13 API calls 17838->17841 17840 2648a4 17839->17840 17839->17843 17842 26379e 17840->17842 17841->17842 17842->17813 17842->17814 17843->17838 17843->17839 17844 26090c codecvt 2 API calls 17843->17844 17844->17843 17846 2648c1 HeapFree 17845->17846 17850 2648eb 17845->17850 17847 2648d6 GetLastError 17846->17847 17846->17850 17848 2648e3 __dosmaperr 17847->17848 17849 25e84d __dosmaperr 12 API calls 17848->17849 17849->17850 17850->17809 17856 2632c2 17851->17856 17857 2632ce ___scrt_is_nonwritable_in_current_image 17856->17857 17870 25df0d EnterCriticalSection 17857->17870 17859 2632d8 17871 263308 17859->17871 17862 2633d4 17863 2633e0 ___scrt_is_nonwritable_in_current_image 17862->17863 17875 25df0d EnterCriticalSection 17863->17875 17865 2633ea 17876 2635b5 17865->17876 17867 263402 17880 263422 17867->17880 17870->17859 17874 25df55 LeaveCriticalSection 17871->17874 17873 2632f6 17873->17862 17874->17873 17875->17865 17877 2635eb __Getctype 17876->17877 17878 2635c4 __Getctype 17876->17878 17877->17867 17878->17877 17883 26bd89 17878->17883 17884 26be09 17883->17884 17887 26bd9f 17883->17887 17887->17884 17913 260945 ___scrt_is_nonwritable_in_current_image 17912->17913 17918 25df0d EnterCriticalSection 17913->17918 17915 260950 17919 26098c 17915->17919 17918->17915 17922 25df55 LeaveCriticalSection 17919->17922 17921 260917 17921->17733 17922->17921 17924 25af62 17923->17924 17927 25af69 17923->17927 17940 25ad70 GetLastError 17924->17940 17928 25af77 17927->17928 17944 25ad47 17927->17944 17928->17793 17929 25af9e 17929->17928 17930 25affc _Deallocate 11 API calls 17929->17930 17931 25afce 17930->17931 17932 25af1b __strnicoll 41 API calls 17931->17932 17933 25afdb 17932->17933 17933->17793 17935 25ad17 17934->17935 17936 25ad2e 17935->17936 17969 25adb6 17935->17969 17938 25ad41 17936->17938 17939 25adb6 _Fputc 41 API calls 17936->17939 17938->17796 17939->17938 17941 25ad89 17940->17941 17947 263802 17941->17947 17945 25ad52 GetLastError SetLastError 17944->17945 17946 25ad6b 17944->17946 17945->17929 17946->17929 17948 263815 17947->17948 17949 26381b 17947->17949 17950 2661cb _unexpected 6 API calls 17948->17950 17951 26620a _unexpected 6 API calls 17949->17951 17968 25ada1 SetLastError 17949->17968 17950->17949 17952 263835 17951->17952 17953 264859 _unexpected 14 API calls 17952->17953 17952->17968 17954 263845 17953->17954 17955 263862 17954->17955 17956 26384d 17954->17956 17958 26620a _unexpected 6 API calls 17955->17958 17957 26620a _unexpected 6 API calls 17956->17957 17965 263859 17957->17965 17959 26386e 17958->17959 17960 263872 17959->17960 17961 263881 17959->17961 17963 26620a _unexpected 6 API calls 17960->17963 17964 26342e _unexpected 14 API calls 17961->17964 17962 2648b6 ___free_lconv_mon 14 API calls 17962->17968 17963->17965 17966 26388c 17964->17966 17965->17962 17967 2648b6 ___free_lconv_mon 14 API calls 17966->17967 17967->17968 17968->17927 17970 25adc0 17969->17970 17971 25adc9 17969->17971 17972 25ad70 _Fputc 16 API calls 17970->17972 17971->17936 17973 25adc5 17972->17973 17973->17971 17976 25df83 17973->17976 17987 26664f 17976->17987 17980 25df9d IsProcessorFeaturePresent 17982 25dfa9 17980->17982 17981 25dfbc 18023 2614b4 17981->18023 18017 25add3 17982->18017 17984 25df93 17984->17980 17984->17981 18026 266581 17987->18026 17990 266694 17991 2666a0 ___scrt_is_nonwritable_in_current_image 17990->17991 17992 263751 __dosmaperr 14 API calls 17991->17992 17996 2666cd _unexpected 17991->17996 17997 2666c7 _unexpected 17991->17997 17992->17997 17993 266714 17994 25e84d __dosmaperr 14 API calls 17993->17994 17995 266719 17994->17995 18036 25afcf 17995->18036 17999 266740 17996->17999 18039 25df0d EnterCriticalSection 17996->18039 17997->17993 17997->17996 18016 2666fe 17997->18016 18002 266782 17999->18002 18003 266873 17999->18003 18013 2667b1 17999->18013 18002->18013 18040 263600 GetLastError 18002->18040 18005 26687e 18003->18005 18071 25df55 LeaveCriticalSection 18003->18071 18007 2614b4 _unexpected 23 API calls 18005->18007 18067 266820 18013->18067 18016->17984 18018 25adef _unexpected codecvt 18017->18018 18019 25ae1b IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 18018->18019 18022 25aeec _unexpected 18019->18022 18073 2612d8 18023->18073 18027 26658d ___scrt_is_nonwritable_in_current_image 18026->18027 18032 25df0d EnterCriticalSection 18027->18032 18029 26659b 18033 2665d9 18029->18033 18032->18029 18034 25df55 std::_Lockit::~_Lockit LeaveCriticalSection 18033->18034 18035 25df88 18034->18035 18035->17984 18035->17990 18039->17999 18041 263616 18040->18041 18042 26361c 18040->18042 18068 266826 18067->18068 18069 2667f7 18067->18069 18069->18016 18071->18005 18074 261317 18073->18074 18075 261305 18073->18075 18093 2611a0 18074->18093 18085 2613a0 GetModuleHandleW 18075->18085 18086 26130a 18085->18086 18086->18074 18094 2611ac ___scrt_is_nonwritable_in_current_image 18093->18094 18122 25e227 18108->18122 18112 254a57 18113 254a67 18112->18113 18114 25e227 std::_Locinfo::_Locinfo_ctor 69 API calls 18112->18114 18115 25488d _Yarn 15 API calls 18113->18115 18114->18113 18116 2520d3 18115->18116 18290 2544bc 18117->18290 18120 25914c Concurrency::cancel_current_task RaiseException 18121 254584 18120->18121 18123 26648b std::_Locinfo::_Locinfo_ctor 5 API calls 18122->18123 18124 25e234 18123->18124 18133 25dfd2 18124->18133 18127 25488d 18128 25489b 18127->18128 18132 2548c6 codecvt 18127->18132 18129 2548a7 18128->18129 18287 25b1fa 18128->18287 18131 25dfc7 ___std_exception_copy 15 API calls 18129->18131 18129->18132 18131->18132 18132->18112 18134 25dfde ___scrt_is_nonwritable_in_current_image 18133->18134 18141 25df0d EnterCriticalSection 18134->18141 18136 25dfec 18142 25e02d 18136->18142 18141->18136 18167 25e18c 18142->18167 18144 25e048 18145 263600 _unexpected 41 API calls 18144->18145 18163 25dff9 18144->18163 18146 25e055 18145->18146 18191 266ef4 18146->18191 18164 25e021 18163->18164 18286 25df55 LeaveCriticalSection 18164->18286 18166 254a3f 18166->18127 18168 25e1a6 18167->18168 18169 25e198 18167->18169 18221 266b32 18168->18221 18206 261fad 18169->18206 18172 25e1a2 18172->18144 18174 25e21c 18177 25affc _Deallocate 11 API calls 18174->18177 18175 264859 _unexpected 14 API calls 18176 25e1d8 18175->18176 18178 25e200 18176->18178 18180 266b32 std::_Locinfo::_Locinfo_ctor 43 API calls 18176->18180 18179 25e226 18177->18179 18181 2648b6 ___free_lconv_mon 14 API calls 18178->18181 18182 26648b std::_Locinfo::_Locinfo_ctor 5 API calls 18179->18182 18183 25e1ef 18180->18183 18184 25e215 18181->18184 18185 25e234 18182->18185 18186 25e1f6 18183->18186 18187 25e202 18183->18187 18184->18144 18188 25dfd2 std::_Locinfo::_Locinfo_ctor 69 API calls 18185->18188 18186->18174 18186->18178 18189 261fad std::_Locinfo::_Locinfo_ctor 66 API calls 18187->18189 18190 25e25d 18188->18190 18189->18178 18190->18144 18192 266f08 _Fputc 18191->18192 18253 266b6f 18192->18253 18195 25ad0b _Fputc 41 API calls 18207 261fd7 18206->18207 18208 261fc3 18206->18208 18209 263600 _unexpected 41 API calls 18207->18209 18210 25e84d __dosmaperr 14 API calls 18208->18210 18212 261fdc 18209->18212 18211 261fc8 18210->18211 18213 25afcf __strnicoll 41 API calls 18211->18213 18214 26648b std::_Locinfo::_Locinfo_ctor 5 API calls 18212->18214 18215 261fd3 18213->18215 18216 261fe4 18214->18216 18215->18172 18227 26bfd5 18216->18227 18220 26202b 18220->18172 18222 266b45 _Fputc 18221->18222 18244 266887 18222->18244 18225 25ad0b _Fputc 41 API calls 18226 25e1bd 18225->18226 18226->18174 18226->18175 18228 26bfe1 ___scrt_is_nonwritable_in_current_image 18227->18228 18229 263600 _unexpected 41 API calls 18228->18229 18230 26bfea 18229->18230 18231 261fe9 18230->18231 18232 25df0d std::_Lockit::_Lockit EnterCriticalSection 18230->18232 18240 2615b5 18231->18240 18233 26c008 18232->18233 18234 26c056 __Getctype 14 API calls 18233->18234 18235 26c019 18234->18235 18236 26c035 __Getctype LeaveCriticalSection 18235->18236 18237 26c02c 18236->18237 18237->18231 18238 25df83 __purecall 41 API calls 18237->18238 18241 2615c1 ___scrt_is_nonwritable_in_current_image 18240->18241 18242 2616e2 std::_Locinfo::_Locinfo_ctor 66 API calls 18241->18242 18243 2615cd std::_Locinfo::_Locinfo_ctor 18242->18243 18243->18220 18245 26689a 18244->18245 18246 26689e 18245->18246 18248 2668c6 18245->18248 18247 25af52 _Fputc 41 API calls 18246->18247 18251 2668bc 18247->18251 18249 266967 std::_Locinfo::_Locinfo_ctor 43 API calls 18248->18249 18252 2668eb 18248->18252 18249->18252 18250 25af52 _Fputc 41 API calls 18250->18251 18251->18225 18252->18250 18252->18251 18254 266b86 18253->18254 18255 266b8a 18254->18255 18257 266bb2 18254->18257 18256 25af52 _Fputc 41 API calls 18255->18256 18261 266ba8 18256->18261 18260 266bd4 18257->18260 18262 266c4d 18257->18262 18259 25af52 _Fputc 41 API calls 18259->18261 18260->18259 18260->18261 18261->18195 18263 266c7d 18262->18263 18264 266c8c 18263->18264 18265 266caa 18263->18265 18277 266c81 18263->18277 18286->18166 18288 2648b6 ___free_lconv_mon 14 API calls 18287->18288 18289 25b212 18288->18289 18289->18129 18293 252236 18290->18293 18296 2590ca 18293->18296 18297 2590d7 18296->18297 18303 252262 18296->18303 18298 25dfc7 ___std_exception_copy 15 API calls 18297->18298 18297->18303 18299 2590f4 18298->18299 18300 259104 18299->18300 18304 2631a8 18299->18304 18302 25b1fa ___vcrt_freefls@4 14 API calls 18300->18302 18302->18303 18303->18120 18305 2631b6 18304->18305 18306 2631c4 18304->18306 18305->18306 18311 2631dc 18305->18311 18307 25e84d __dosmaperr 14 API calls 18306->18307 18308 2631cc 18307->18308 18309 25afcf __strnicoll 41 API calls 18308->18309 18310 2631d6 18309->18310 18310->18300 18311->18310 18312 25e84d __dosmaperr 14 API calls 18311->18312 18312->18308 18378 2523f7 18377->18378 18379 254a8a 18377->18379 18378->17763 18378->17764 18380 25e227 std::_Locinfo::_Locinfo_ctor 69 API calls 18379->18380 18380->18378 18382 251398 18381->18382 18385 251334 18381->18385 18392 25343e 18382->18392 18387 25133b 18385->18387 18388 25347d 18385->18388 18387->17570 18389 253494 18388->18389 18405 253364 18389->18405 18415 254525 18392->18415 18406 253372 Concurrency::cancel_current_task 18405->18406 18407 25914c Concurrency::cancel_current_task RaiseException 18406->18407 18408 253380 codecvt 18407->18408 18409 25914c Concurrency::cancel_current_task RaiseException 18408->18409 18410 25339d 18409->18410 18411 25af1b __strnicoll 41 API calls 18410->18411 18412 25afee 18411->18412 18413 25affc _Deallocate 11 API calls 18412->18413 18414 25affb 18413->18414 18420 254448 18415->18420 18418 25914c Concurrency::cancel_current_task RaiseException 18419 254544 18418->18419 18421 252236 std::exception::exception 42 API calls 18420->18421 18422 25445a 18421->18422 18422->18418 18424 251f53 18423->18424 18425 252b2c 18423->18425 18424->17581 18424->17582 18425->18424 18426 256576 codecvt 43 API calls 18425->18426 18428 252b38 codecvt 18426->18428 18427 252b63 18427->18424 18429 2523ed std::_Locinfo::~_Locinfo 69 API calls 18427->18429 18428->18427 18430 25208f codecvt 72 API calls 18428->18430 18429->18424 18431 252b50 18430->18431 18433 252c70 18431->18433 18452 25dcb7 18433->18452 18436 254bb3 codecvt 41 API calls 18437 252c9b 18436->18437 18438 254bb3 codecvt 41 API calls 18437->18438 18439 252cce 18438->18439 18457 2519f4 18439->18457 18441 252cda 18462 251a30 18441->18462 18453 263600 _unexpected 41 API calls 18452->18453 18454 25dcc2 18453->18454 18455 264a24 __Getctype 41 API calls 18454->18455 18456 252c8f 18455->18456 18456->18436 18458 2519ff __Getctype _strlen 18457->18458 18461 251a13 codecvt 18458->18461 18475 254508 18458->18475 18461->18441 18465 251a4a _strlen 18462->18465 18463 251a7e __Getctype 18465->18463 18479 254c82 18465->18479 18476 254516 Concurrency::cancel_current_task 18475->18476 18477 25914c Concurrency::cancel_current_task RaiseException 18476->18477 18478 254524 18477->18478 18490 2524d7 18489->18490 18491 2524ce 18489->18491 18490->17587 18493 254262 18491->18493 18494 25426a 18493->18494 18495 254272 18494->18495 18497 255a4e 18494->18497 18495->18490 18498 255a70 18497->18498 18499 255a79 18497->18499 18500 2565b4 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 18498->18500 18499->18498 18502 255ab9 18499->18502 18504 255adf 18499->18504 18501 255adb 18500->18501 18501->18495 18509 254f35 18502->18509 18505 255b3a 18504->18505 18506 255b1b 18504->18506 18505->18498 18512 25fd03 18505->18512 18506->18498 18508 254f35 _Fputc 45 API calls 18506->18508 18508->18498 18518 25ed8f 18509->18518 18513 25fd16 _Fputc 18512->18513 18589 25fae2 18513->18589 18519 25eda2 _Fputc 18518->18519 18524 25eb93 18519->18524 18525 25eb9f ___scrt_is_nonwritable_in_current_image 18524->18525 18526 25eba6 18525->18526 18527 25ebcb 18525->18527 18590 25faf0 18589->18590 18591 25fb18 18589->18591 18590->18591 18592 25fafd 18590->18592 18593 25fb1f 18590->18593 18661 251b6f 18660->18661 18662 251afa 18660->18662 18663 25343e std::_Throw_Cpp_error 43 API calls 18661->18663 18665 25347d 42 API calls 18662->18665 18664 251b74 18663->18664 18666 251b1e 18665->18666 18668 251b53 18666->18668 18678 252911 18666->18678 18668->17593 18692 254545 18669->18692 18681 2513c0 18678->18681 18680 252926 18680->18668 18682 2513cd 18681->18682 18684 2513da std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 18681->18684 18685 252813 18682->18685 18684->18680 18686 252830 18685->18686 18687 25282d 18685->18687 18688 25af1b __strnicoll 41 API calls 18686->18688 18687->18684 18689 25afee 18688->18689 18690 25affc _Deallocate 11 API calls 18689->18690 18691 25affb 18690->18691 18697 25449d 18692->18697 18695 25914c Concurrency::cancel_current_task RaiseException 18696 254564 18695->18696 18698 252236 std::exception::exception 42 API calls 18697->18698 18699 2544af 18698->18699 18699->18695 18700->17615 18701 254262 18702 25426a 18701->18702 18703 254272 18702->18703 18704 255a4e 70 API calls 18702->18704 18704->18703 18705 25676c 18706 256778 ___scrt_is_nonwritable_in_current_image 18705->18706 18731 25696e 18706->18731 18708 25677f 18709 2568d8 18708->18709 18719 2567a9 ___scrt_is_nonwritable_in_current_image _unexpected ___scrt_release_startup_lock 18708->18719 18788 257093 IsProcessorFeaturePresent 18709->18788 18711 2568df 18712 2568e5 18711->18712 18767 2614f0 18711->18767 18714 2614b4 _unexpected 23 API calls 18712->18714 18715 2568ed 18714->18715 18716 2567c8 18717 256849 18742 26112e 18717->18742 18719->18716 18719->18717 18770 2614ca 18719->18770 18721 25684f 18746 273416 18721->18746 18732 256977 18731->18732 18792 256b7c IsProcessorFeaturePresent 18732->18792 18736 256988 18741 25698c 18736->18741 18802 263107 18736->18802 18738 2569a3 18738->18708 18741->18708 18743 261137 18742->18743 18745 26113c 18742->18745 18874 260e88 18743->18874 18745->18721 19168 251fdd 18746->19168 18749 256576 codecvt 43 API calls 18750 27343b 18749->18750 18753 27344b VirtualProtect FreeConsole 18750->18753 19188 273000 18750->19188 19172 251d1e 18753->19172 18758 2734a7 18759 2734c4 18758->18759 18760 2734ad 18758->18760 18768 2612d8 _unexpected 23 API calls 18767->18768 18769 261501 18768->18769 18769->18712 18771 2614e0 std::_Locinfo::_Locinfo_ctor 18770->18771 18772 25dc7b ___scrt_is_nonwritable_in_current_image 18770->18772 18771->18717 18773 263600 _unexpected 41 API calls 18772->18773 18776 25dc8c 18773->18776 18774 25df83 __purecall 41 API calls 18775 25dcb6 18774->18775 18776->18774 18789 2570a9 _unexpected codecvt 18788->18789 18790 257154 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 18789->18790 18791 257198 _unexpected 18790->18791 18791->18711 18793 256983 18792->18793 18794 2598de 18793->18794 18811 25a9b7 18794->18811 18797 2598e7 18797->18736 18799 2598ef 18800 2598fa 18799->18800 18825 25a9f3 18799->18825 18800->18736 18865 26d383 18802->18865 18805 2598fd 18806 259906 18805->18806 18807 259910 18805->18807 18808 259a76 ___vcrt_uninitialize_ptd 6 API calls 18806->18808 18807->18741 18809 25990b 18808->18809 18810 25a9f3 ___vcrt_uninitialize_locks DeleteCriticalSection 18809->18810 18810->18807 18813 25a9c0 18811->18813 18814 25a9e9 18813->18814 18815 2598e3 18813->18815 18829 25abfc 18813->18829 18816 25a9f3 ___vcrt_uninitialize_locks DeleteCriticalSection 18814->18816 18815->18797 18817 259a43 18815->18817 18816->18815 18846 25ab0d 18817->18846 18821 259a73 18821->18799 18824 259a58 18824->18799 18826 25aa1d 18825->18826 18827 25a9fe 18825->18827 18826->18797 18828 25aa08 DeleteCriticalSection 18827->18828 18828->18826 18828->18828 18834 25aa22 18829->18834 18832 25ac34 InitializeCriticalSectionAndSpinCount 18833 25ac1f 18832->18833 18833->18813 18835 25aa3f 18834->18835 18836 25aa43 18834->18836 18835->18832 18835->18833 18836->18835 18837 25aaab GetProcAddress 18836->18837 18839 25aa9c 18836->18839 18841 25aac2 LoadLibraryExW 18836->18841 18837->18835 18839->18837 18840 25aaa4 FreeLibrary 18839->18840 18840->18837 18842 25aad9 GetLastError 18841->18842 18843 25ab09 18841->18843 18842->18843 18844 25aae4 ___vcrt_FlsGetValue 18842->18844 18843->18836 18844->18843 18845 25aafa LoadLibraryExW 18844->18845 18845->18836 18847 25aa22 ___vcrt_FlsGetValue 5 API calls 18846->18847 18848 25ab27 18847->18848 18849 25ab40 TlsAlloc 18848->18849 18850 259a4d 18848->18850 18850->18824 18851 25abbe 18850->18851 18852 25aa22 ___vcrt_FlsGetValue 5 API calls 18851->18852 18853 25abd8 18852->18853 18854 25abf3 TlsSetValue 18853->18854 18855 259a66 18853->18855 18854->18855 18855->18821 18856 259a76 18855->18856 18857 259a80 18856->18857 18858 259a86 18856->18858 18860 25ab48 18857->18860 18858->18824 18861 25aa22 ___vcrt_FlsGetValue 5 API calls 18860->18861 18862 25ab62 18861->18862 18863 25ab7a TlsFree 18862->18863 18864 25ab6e 18862->18864 18863->18864 18864->18858 18866 26d393 18865->18866 18867 256995 18865->18867 18866->18867 18869 265b9d 18866->18869 18867->18738 18867->18805 18870 265ba4 18869->18870 18871 265be7 GetStdHandle 18870->18871 18872 265c49 18870->18872 18873 265bfa GetFileType 18870->18873 18871->18870 18872->18866 18873->18870 18875 260ea7 18874->18875 18876 260e91 18874->18876 18875->18745 18876->18875 18880 260eb4 18876->18880 18878 260e9e 18878->18875 18897 26101f 18878->18897 18881 260ec0 18880->18881 18882 260ebd 18880->18882 18905 26a670 18881->18905 18882->18878 18887 260ed1 18890 2648b6 ___free_lconv_mon 14 API calls 18887->18890 18888 260edd 18932 260f0e 18888->18932 18892 260ed7 18890->18892 18892->18878 18893 2648b6 ___free_lconv_mon 14 API calls 18894 260f01 18893->18894 18895 2648b6 ___free_lconv_mon 14 API calls 18894->18895 18896 260f07 18895->18896 18896->18878 18898 261090 18897->18898 18901 26102e 18897->18901 18898->18875 18899 2695c0 WideCharToMultiByte _Fputc 18899->18901 18900 264859 _unexpected 14 API calls 18900->18901 18901->18898 18901->18899 18901->18900 18903 261094 18901->18903 18904 2648b6 ___free_lconv_mon 14 API calls 18901->18904 18902 2648b6 ___free_lconv_mon 14 API calls 18902->18898 18903->18902 18904->18901 18906 26a679 18905->18906 18910 260ec6 18905->18910 18954 2636bb 18906->18954 18911 26a972 GetEnvironmentStringsW 18910->18911 18912 26a98a 18911->18912 18927 260ecb 18911->18927 18913 2695c0 _Fputc WideCharToMultiByte 18912->18913 18914 26a9a7 18913->18914 18915 26a9b1 FreeEnvironmentStringsW 18914->18915 18916 26a9bc 18914->18916 18915->18927 18917 264ae0 __strnicoll 15 API calls 18916->18917 18918 26a9c3 18917->18918 18919 26a9dc 18918->18919 18920 26a9cb 18918->18920 18921 2695c0 _Fputc WideCharToMultiByte 18919->18921 18922 2648b6 ___free_lconv_mon 14 API calls 18920->18922 18923 26a9ec 18921->18923 18924 26a9d0 FreeEnvironmentStringsW 18922->18924 18925 26a9f3 18923->18925 18926 26a9fb 18923->18926 18924->18927 18928 2648b6 ___free_lconv_mon 14 API calls 18925->18928 18929 2648b6 ___free_lconv_mon 14 API calls 18926->18929 18927->18887 18927->18888 18930 26a9f9 FreeEnvironmentStringsW 18928->18930 18929->18930 18930->18927 18934 260f23 18932->18934 18933 264859 _unexpected 14 API calls 18935 260f4a 18933->18935 18934->18933 18936 260f52 18935->18936 18946 260f5c 18935->18946 18937 2648b6 ___free_lconv_mon 14 API calls 18936->18937 18953 260ee4 18937->18953 18938 260fb9 18939 2648b6 ___free_lconv_mon 14 API calls 18938->18939 18939->18953 18940 264859 _unexpected 14 API calls 18940->18946 18941 260fc8 19162 260ff0 18941->19162 18943 2631a8 ___std_exception_copy 41 API calls 18943->18946 18945 260fe3 18949 25affc _Deallocate 11 API calls 18945->18949 18946->18938 18946->18940 18946->18941 18946->18943 18946->18945 18948 2648b6 ___free_lconv_mon 14 API calls 18946->18948 18947 2648b6 ___free_lconv_mon 14 API calls 18950 260fd5 18947->18950 18948->18946 18951 260fef 18949->18951 18952 2648b6 ___free_lconv_mon 14 API calls 18950->18952 18952->18953 18953->18893 18955 2636c6 18954->18955 18956 2636cc 18954->18956 18957 2661cb _unexpected 6 API calls 18955->18957 18958 26620a _unexpected 6 API calls 18956->18958 18960 2636d2 18956->18960 18957->18956 18959 2636e6 18958->18959 18959->18960 18961 264859 _unexpected 14 API calls 18959->18961 18962 25df83 __purecall 41 API calls 18960->18962 18978 2636d7 18960->18978 18963 2636f6 18961->18963 18964 263750 18962->18964 18965 263713 18963->18965 18966 2636fe 18963->18966 18968 26620a _unexpected 6 API calls 18965->18968 18967 26620a _unexpected 6 API calls 18966->18967 18969 26370a 18967->18969 18970 26371f 18968->18970 18974 2648b6 ___free_lconv_mon 14 API calls 18969->18974 18971 263732 18970->18971 18972 263723 18970->18972 18973 26342e _unexpected 14 API calls 18971->18973 18975 26620a _unexpected 6 API calls 18972->18975 18976 26373d 18973->18976 18974->18960 18975->18969 18977 2648b6 ___free_lconv_mon 14 API calls 18976->18977 18977->18978 18979 26a47b 18978->18979 19002 26a5d0 18979->19002 18984 26a4be 18984->18910 18985 264ae0 __strnicoll 15 API calls 18986 26a4cf 18985->18986 18987 26a4d7 18986->18987 18988 26a4e5 18986->18988 18990 2648b6 ___free_lconv_mon 14 API calls 18987->18990 19020 26a6cb 18988->19020 18990->18984 19003 26a5dc ___scrt_is_nonwritable_in_current_image 19002->19003 19005 26a5f6 19003->19005 19039 25df0d EnterCriticalSection 19003->19039 19006 26a4a5 19005->19006 19008 25df83 __purecall 41 API calls 19005->19008 19013 26a1fb 19006->19013 19009 26a66f 19008->19009 19010 26a606 19011 2648b6 ___free_lconv_mon 14 API calls 19010->19011 19012 26a632 19010->19012 19011->19012 19040 26a64f 19012->19040 19044 2600d4 19013->19044 19016 26a22e 19018 26a245 19016->19018 19019 26a233 GetACP 19016->19019 19017 26a21c GetOEMCP 19017->19018 19018->18984 19018->18985 19019->19018 19021 26a1fb 43 API calls 19020->19021 19022 26a6eb 19021->19022 19023 26a764 codecvt 19022->19023 19025 26a728 IsValidCodePage 19022->19025 19024 2565b4 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 19023->19024 19026 26a512 19024->19026 19025->19023 19027 26a73a 19025->19027 19028 26a769 GetCPInfo 19027->19028 19030 26a743 codecvt 19027->19030 19028->19023 19028->19030 19039->19010 19043 25df55 LeaveCriticalSection 19040->19043 19042 26a656 19042->19005 19043->19042 19045 2600f2 19044->19045 19046 2600eb 19044->19046 19045->19046 19047 263600 _unexpected 41 API calls 19045->19047 19046->19016 19046->19017 19048 260113 19047->19048 19049 264a24 __Getctype 41 API calls 19048->19049 19050 260129 19049->19050 19052 264a82 19050->19052 19053 264a95 19052->19053 19054 264aaa 19052->19054 19053->19054 19056 26a6b8 19053->19056 19054->19046 19057 263600 _unexpected 41 API calls 19056->19057 19058 26a6bd 19057->19058 19059 26a5d0 __strnicoll 41 API calls 19058->19059 19060 26a6c8 19059->19060 19060->19054 19163 260fce 19162->19163 19164 260ffd 19162->19164 19163->18947 19165 261014 19164->19165 19166 2648b6 ___free_lconv_mon 14 API calls 19164->19166 19167 2648b6 ___free_lconv_mon 14 API calls 19165->19167 19166->19164 19167->19163 19169 251ffa _strlen 19168->19169 19205 2511cf 19169->19205 19171 252007 19171->18749 19233 251dfb 19172->19233 19174 251d32 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 19236 25de3b 19174->19236 19176 251d5f 19177 251d68 19176->19177 19251 254746 19176->19251 19180 2540aa 19177->19180 19181 2540b5 GetCurrentThreadId 19180->19181 19186 2540bf 19180->19186 19182 2540c3 19181->19182 19181->19186 19401 254590 WaitForSingleObjectEx 19182->19401 19183 254746 std::_Throw_Cpp_error 43 API calls 19185 2540e8 19183->19185 19186->19183 19187 2540d9 Sleep 19186->19187 19187->18758 19196 273030 19188->19196 19198 2730fa 19188->19198 19191 251fdd 43 API calls std::_Throw_Cpp_error 19191->19196 19192 2565b4 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 19193 273114 19192->19193 19193->18753 19194 254134 43 API calls 19194->19196 19195 25bc1e 44 API calls 19195->19196 19196->19191 19196->19194 19196->19195 19197 2533ef 41 API calls std::_Throw_Cpp_error 19196->19197 19196->19198 19197->19196 19407 2533c9 19198->19407 19206 25123a 19205->19206 19209 2511e0 std::_Throw_Cpp_error 19205->19209 19207 25343e std::_Throw_Cpp_error 43 API calls 19206->19207 19208 25123f 19207->19208 19211 2511e7 std::_Throw_Cpp_error 19209->19211 19212 25116b 19209->19212 19211->19171 19213 251176 19212->19213 19215 25117e 19212->19215 19220 25118d 19213->19220 19216 25118a 19215->19216 19218 256576 codecvt 43 API calls 19215->19218 19216->19211 19219 251188 19218->19219 19219->19211 19221 253364 Concurrency::cancel_current_task 19220->19221 19222 25119c 19220->19222 19225 25914c Concurrency::cancel_current_task RaiseException 19221->19225 19223 256576 codecvt 43 API calls 19222->19223 19232 2511a2 19223->19232 19224 25117c 19224->19211 19229 253380 codecvt 19225->19229 19226 25af1b __strnicoll 41 API calls 19227 25afee 19226->19227 19228 25affc _Deallocate 11 API calls 19227->19228 19230 25affb 19228->19230 19231 25914c Concurrency::cancel_current_task RaiseException 19229->19231 19231->19232 19232->19224 19232->19226 19234 256576 codecvt 43 API calls 19233->19234 19235 251e02 19234->19235 19235->19174 19237 25de5c 19236->19237 19238 25de48 19236->19238 19257 25ddeb 19237->19257 19240 25e84d __dosmaperr 14 API calls 19238->19240 19242 25de4d 19240->19242 19244 25afcf __strnicoll 41 API calls 19242->19244 19243 25de71 CreateThread 19245 25de90 GetLastError 19243->19245 19249 25de9c 19243->19249 19282 25dcdf 19243->19282 19246 25de58 19244->19246 19266 25e7f3 19245->19266 19246->19176 19271 25dd5d 19249->19271 19252 25475c std::_Throw_Cpp_error 19251->19252 19329 254666 19252->19329 19258 264859 _unexpected 14 API calls 19257->19258 19259 25ddfc 19258->19259 19260 2648b6 ___free_lconv_mon 14 API calls 19259->19260 19261 25de09 19260->19261 19262 25de10 GetModuleHandleExW 19261->19262 19263 25de2d 19261->19263 19262->19263 19264 25dd5d 16 API calls 19263->19264 19265 25de35 19264->19265 19265->19243 19265->19249 19272 25dd69 19271->19272 19278 25dd8d 19271->19278 19278->19176 19283 25dceb ___scrt_is_nonwritable_in_current_image 19282->19283 19330 254672 __EH_prolog3_GS 19329->19330 19331 251fdd std::_Throw_Cpp_error 43 API calls 19330->19331 19332 254686 19331->19332 19402 2545a7 19401->19402 19403 2545d9 19401->19403 19403->19186 19408 2533d1 19407->19408 19409 2533e1 19407->19409 19410 2513c0 _Deallocate 41 API calls 19408->19410 19409->19192 19410->19409 22583 26d37a 22584 26d3b1 22583->22584 22585 26d393 22583->22585 22585->22584 22586 265b9d 2 API calls 22585->22586 22586->22585 22587 255b7b 22588 255b95 22587->22588 22589 255ba7 22588->22589 22591 254f52 22588->22591 22594 25f001 22591->22594 22595 25f00d ___scrt_is_nonwritable_in_current_image 22594->22595 22596 25f014 22595->22596 22597 25f02b 22595->22597 22598 25e84d __dosmaperr 14 API calls 22596->22598 22607 25e984 EnterCriticalSection 22597->22607 22600 25f019 22598->22600 22602 25afcf __strnicoll 41 API calls 22600->22602 22601 25f03a 22608 25ef4b 22601->22608 22604 254f64 22602->22604 22604->22589 22605 25f048 22622 25f077 22605->22622 22607->22601 22609 25ef61 22608->22609 22610 25efeb _Ungetc 22608->22610 22609->22610 22611 25ef8f 22609->22611 22612 267dfd _Ungetc 14 API calls 22609->22612 22610->22605 22611->22610 22613 265986 _Ungetc 41 API calls 22611->22613 22612->22611 22614 25efa1 22613->22614 22615 265986 _Ungetc 41 API calls 22614->22615 22621 25efc4 22614->22621 22616 25efad 22615->22616 22618 265986 _Ungetc 41 API calls 22616->22618 22616->22621 22619 25efb9 22618->22619 22620 265986 _Ungetc 41 API calls 22619->22620 22620->22621 22621->22610 22625 25ee3e 22621->22625 22644 25e998 LeaveCriticalSection 22622->22644 22624 25f07d 22624->22604 22626 265986 _Ungetc 41 API calls 22625->22626 22627 25ee61 22626->22627 22628 265986 _Ungetc 41 API calls 22627->22628 22629 25ee8a 22627->22629 22630 25ee6f 22628->22630 22634 25eec4 22629->22634 22638 2657e2 22629->22638 22630->22629 22632 265986 _Ungetc 41 API calls 22630->22632 22633 25ee7d 22632->22633 22635 265986 _Ungetc 41 API calls 22633->22635 22636 2565b4 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 22634->22636 22635->22629 22637 25ef42 22636->22637 22637->22610 22639 2657f5 _Fputc 22638->22639 22640 265678 _Fputc 43 API calls 22639->22640 22641 26580a 22640->22641 22642 25ad0b _Fputc 41 API calls 22641->22642 22643 265817 22642->22643 22643->22634 22644->22624 20538 265c4d 20539 265c59 ___scrt_is_nonwritable_in_current_image 20538->20539 20550 25df0d EnterCriticalSection 20539->20550 20541 265c60 20551 26ae4a 20541->20551 20544 265c7e 20570 265ca4 20544->20570 20549 265b9d 2 API calls 20549->20544 20550->20541 20552 26ae56 ___scrt_is_nonwritable_in_current_image 20551->20552 20553 26ae80 20552->20553 20554 26ae5f 20552->20554 20573 25df0d EnterCriticalSection 20553->20573 20555 25e84d __dosmaperr 14 API calls 20554->20555 20557 26ae64 20555->20557 20558 25afcf __strnicoll 41 API calls 20557->20558 20559 265c6f 20558->20559 20559->20544 20564 265ae7 GetStartupInfoW 20559->20564 20560 26aeb8 20581 26aedf 20560->20581 20562 26ae8c 20562->20560 20574 26ad9a 20562->20574 20565 265b04 20564->20565 20566 265b98 20564->20566 20565->20566 20567 26ae4a 42 API calls 20565->20567 20566->20549 20568 265b2c 20567->20568 20568->20566 20569 265b5c GetFileType 20568->20569 20569->20568 20585 25df55 LeaveCriticalSection 20570->20585 20572 265c8f 20573->20562 20575 264859 _unexpected 14 API calls 20574->20575 20578 26adac 20575->20578 20576 26adb9 20577 2648b6 ___free_lconv_mon 14 API calls 20576->20577 20579 26ae0e 20577->20579 20578->20576 20580 2662c7 6 API calls 20578->20580 20579->20562 20580->20578 20584 25df55 LeaveCriticalSection 20581->20584 20583 26aee6 20583->20559 20584->20583 20585->20572 20878 267658 20879 267665 20878->20879 20883 26767d 20878->20883 20880 25e84d __dosmaperr 14 API calls 20879->20880 20881 26766a 20880->20881 20882 25afcf __strnicoll 41 API calls 20881->20882 20884 267675 20882->20884 20883->20884 20885 2676dc 20883->20885 20887 267dfd _Ungetc 14 API calls 20883->20887 20886 265986 _Ungetc 41 API calls 20885->20886 20888 2676f5 20886->20888 20887->20885 20898 26fa3a 20888->20898 20891 265986 _Ungetc 41 API calls 20892 26772e 20891->20892 20892->20884 20893 265986 _Ungetc 41 API calls 20892->20893 20894 26773c 20893->20894 20894->20884 20895 265986 _Ungetc 41 API calls 20894->20895 20896 26774a 20895->20896 20897 265986 _Ungetc 41 API calls 20896->20897 20897->20884 20899 26fa46 ___scrt_is_nonwritable_in_current_image 20898->20899 20900 26fa66 20899->20900 20901 26fa4e 20899->20901 20903 26fb23 20900->20903 20908 26fa9c 20900->20908 20902 25e83a __dosmaperr 14 API calls 20901->20902 20905 26fa53 20902->20905 20904 25e83a __dosmaperr 14 API calls 20903->20904 20906 26fb28 20904->20906 20907 25e84d __dosmaperr 14 API calls 20905->20907 20909 25e84d __dosmaperr 14 API calls 20906->20909 20927 2676fd 20907->20927 20910 26faa5 20908->20910 20911 26faba 20908->20911 20914 26fab2 20909->20914 20912 25e83a __dosmaperr 14 API calls 20910->20912 20928 26aee8 EnterCriticalSection 20911->20928 20915 26faaa 20912->20915 20920 25afcf __strnicoll 41 API calls 20914->20920 20917 25e84d __dosmaperr 14 API calls 20915->20917 20916 26fac0 20918 26faf1 20916->20918 20919 26fadc 20916->20919 20917->20914 20929 26fb4e 20918->20929 20921 25e84d __dosmaperr 14 API calls 20919->20921 20920->20927 20923 26fae1 20921->20923 20925 25e83a __dosmaperr 14 API calls 20923->20925 20924 26faec 20992 26fb1b 20924->20992 20925->20924 20927->20884 20927->20891 20928->20916 20930 26fb60 20929->20930 20931 26fb78 20929->20931 20932 25e83a __dosmaperr 14 API calls 20930->20932 20933 26fece 20931->20933 20936 26fbbe 20931->20936 20934 26fb65 20932->20934 20935 25e83a __dosmaperr 14 API calls 20933->20935 20937 25e84d __dosmaperr 14 API calls 20934->20937 20938 26fed3 20935->20938 20939 26fbc9 20936->20939 20940 26fb6d 20936->20940 20947 26fbf9 20936->20947 20937->20940 20941 25e84d __dosmaperr 14 API calls 20938->20941 20943 25e83a __dosmaperr 14 API calls 20939->20943 20940->20924 20942 26fbd6 20941->20942 20945 25afcf __strnicoll 41 API calls 20942->20945 20944 26fbce 20943->20944 20946 25e84d __dosmaperr 14 API calls 20944->20946 20945->20940 20946->20942 20948 26fc2c 20947->20948 20949 26fc5d 20947->20949 20950 26fc12 20947->20950 20952 25e83a __dosmaperr 14 API calls 20948->20952 20953 264ae0 __strnicoll 15 API calls 20949->20953 20950->20948 20951 26fc17 20950->20951 20995 26f231 20951->20995 20954 26fc31 20952->20954 20957 26fc6e 20953->20957 20955 25e84d __dosmaperr 14 API calls 20954->20955 20958 26fc38 20955->20958 20960 2648b6 ___free_lconv_mon 14 API calls 20957->20960 20961 25afcf __strnicoll 41 API calls 20958->20961 20959 26fdaa 20962 26fe1e 20959->20962 20965 26fdc3 GetConsoleMode 20959->20965 20963 26fc77 20960->20963 20991 26fc43 20961->20991 20964 26fe22 ReadFile 20962->20964 20966 2648b6 ___free_lconv_mon 14 API calls 20963->20966 20967 26fe96 GetLastError 20964->20967 20968 26fe3a 20964->20968 20965->20962 20969 26fdd4 20965->20969 20970 26fc7e 20966->20970 20971 26fea3 20967->20971 20972 26fdfa 20967->20972 20968->20967 20973 26fe13 20968->20973 20969->20964 20974 26fdda ReadConsoleW 20969->20974 20975 26fca3 20970->20975 20976 26fc88 20970->20976 20978 25e84d __dosmaperr 14 API calls 20971->20978 20984 25e7f3 __dosmaperr 14 API calls 20972->20984 20972->20991 20987 26fe76 20973->20987 20988 26fe5f 20973->20988 20973->20991 20974->20973 20980 26fdf4 GetLastError 20974->20980 20979 269470 43 API calls 20975->20979 20977 25e84d __dosmaperr 14 API calls 20976->20977 20982 26fc8d 20977->20982 20983 26fea8 20978->20983 20979->20951 20980->20972 20981 2648b6 ___free_lconv_mon 14 API calls 20981->20940 20985 25e83a __dosmaperr 14 API calls 20982->20985 20986 25e83a __dosmaperr 14 API calls 20983->20986 20984->20991 20985->20991 20986->20991 20987->20991 21017 26f6c0 20987->21017 21004 26f868 20988->21004 20991->20981 21029 26af0b LeaveCriticalSection 20992->21029 20994 26fb21 20994->20927 20996 26f23e 20995->20996 20997 26f24b 20995->20997 20998 25e84d __dosmaperr 14 API calls 20996->20998 21000 26f257 20997->21000 21001 25e84d __dosmaperr 14 API calls 20997->21001 20999 26f243 20998->20999 20999->20959 21000->20959 21002 26f278 21001->21002 21003 25afcf __strnicoll 41 API calls 21002->21003 21003->20999 21023 26f574 21004->21023 21006 269544 __strnicoll MultiByteToWideChar 21009 26f97c 21006->21009 21008 26f8fa 21010 25e84d __dosmaperr 14 API calls 21008->21010 21011 26f985 GetLastError 21009->21011 21013 26f8b0 21009->21013 21010->21013 21012 25e7f3 __dosmaperr 14 API calls 21011->21012 21012->21013 21013->20991 21014 26f90a 21015 269470 43 API calls 21014->21015 21016 26f8c4 21014->21016 21015->21016 21016->21006 21018 26f6f7 21017->21018 21019 26f787 21018->21019 21020 26f78c ReadFile 21018->21020 21019->20991 21020->21019 21021 26f7a9 21020->21021 21021->21019 21022 269470 43 API calls 21021->21022 21022->21019 21024 26f5a8 21023->21024 21025 26f617 ReadFile 21024->21025 21027 26f612 21024->21027 21026 26f630 21025->21026 21025->21027 21026->21027 21028 269470 43 API calls 21026->21028 21027->21008 21027->21013 21027->21014 21027->21016 21028->21027 21029->20994 22896 255d96 22897 255da5 22896->22897 22899 255dc9 22897->22899 22900 25ff01 22897->22900 22901 25ff14 _Fputc 22900->22901 22906 25fe38 22901->22906 22903 25ff29 22904 25ad0b _Fputc 41 API calls 22903->22904 22905 25ff36 22904->22905 22905->22899 22907 25fe4a 22906->22907 22909 25fe6d 22906->22909 22908 25af52 _Fputc 41 API calls 22907->22908 22910 25fe65 22908->22910 22909->22907 22911 25fe94 22909->22911 22910->22903 22914 25fd3d 22911->22914 22915 25fd49 ___scrt_is_nonwritable_in_current_image 22914->22915 22922 25e984 EnterCriticalSection 22915->22922 22917 25fd57 22923 25fd98 22917->22923 22919 25fd64 22932 25fd8c 22919->22932 22922->22917 22924 25f411 ___scrt_uninitialize_crt 66 API calls 22923->22924 22925 25fdb3 22924->22925 22926 267618 14 API calls 22925->22926 22927 25fdbd 22926->22927 22928 264859 _unexpected 14 API calls 22927->22928 22929 25fdd8 22927->22929 22930 25fdfc 22928->22930 22929->22919 22931 2648b6 ___free_lconv_mon 14 API calls 22930->22931 22931->22929 22935 25e998 LeaveCriticalSection 22932->22935 22934 25fd75 22934->22903 22935->22934 21326 255699 21327 2556a0 21326->21327 21328 2556ec 21326->21328 21331 25e984 EnterCriticalSection 21327->21331 21330 2556a5 21331->21330 23131 255df1 23132 255e2f 23131->23132 23133 255dfa 23131->23133 23133->23132 23136 25f4e8 23133->23136 23135 255e22 23137 25f4fa 23136->23137 23140 25f503 ___scrt_uninitialize_crt 23136->23140 23138 25f36c ___scrt_uninitialize_crt 70 API calls 23137->23138 23139 25f500 23138->23139 23139->23135 23141 25f514 23140->23141 23144 25f30c 23140->23144 23141->23135 23145 25f318 ___scrt_is_nonwritable_in_current_image 23144->23145 23152 25e984 EnterCriticalSection 23145->23152 23147 25f326 23148 25f47a ___scrt_uninitialize_crt 70 API calls 23147->23148 23149 25f337 23148->23149 23153 25f360 23149->23153 23152->23147 23156 25e998 LeaveCriticalSection 23153->23156 23155 25f349 23155->23135 23156->23155 21596 2634c7 21597 2634d2 21596->21597 21601 2634e2 21596->21601 21602 2634e8 21597->21602 21600 2648b6 ___free_lconv_mon 14 API calls 21600->21601 21603 263503 21602->21603 21604 2634fd 21602->21604 21606 2648b6 ___free_lconv_mon 14 API calls 21603->21606 21605 2648b6 ___free_lconv_mon 14 API calls 21604->21605 21605->21603 21607 26350f 21606->21607 21608 2648b6 ___free_lconv_mon 14 API calls 21607->21608 21609 26351a 21608->21609 21610 2648b6 ___free_lconv_mon 14 API calls 21609->21610 21611 263525 21610->21611 21612 2648b6 ___free_lconv_mon 14 API calls 21611->21612 21613 263530 21612->21613 21614 2648b6 ___free_lconv_mon 14 API calls 21613->21614 21615 26353b 21614->21615 21616 2648b6 ___free_lconv_mon 14 API calls 21615->21616 21617 263546 21616->21617 21618 2648b6 ___free_lconv_mon 14 API calls 21617->21618 21619 263551 21618->21619 21620 2648b6 ___free_lconv_mon 14 API calls 21619->21620 21621 26355c 21620->21621 21622 2648b6 ___free_lconv_mon 14 API calls 21621->21622 21623 26356a 21622->21623 21628 263314 21623->21628 21629 263320 ___scrt_is_nonwritable_in_current_image 21628->21629 21644 25df0d EnterCriticalSection 21629->21644 21631 26332a 21634 2648b6 ___free_lconv_mon 14 API calls 21631->21634 21635 263354 21631->21635 21634->21635 21645 263373 21635->21645 21636 26337f 21637 26338b ___scrt_is_nonwritable_in_current_image 21636->21637 21649 25df0d EnterCriticalSection 21637->21649 21639 263395 21640 2635b5 _unexpected 14 API calls 21639->21640 21641 2633a8 21640->21641 21650 2633c8 21641->21650 21644->21631 21648 25df55 LeaveCriticalSection 21645->21648 21647 263361 21647->21636 21648->21647 21649->21639 21653 25df55 LeaveCriticalSection 21650->21653 21652 2633b6 21652->21600 21653->21652 19502 2679cc 19503 265986 _Ungetc 41 API calls 19502->19503 19506 2679d9 19503->19506 19504 2679e5 19505 267a31 19505->19504 19508 2659c2 41 API calls 19505->19508 19513 267a93 19505->19513 19506->19504 19506->19505 19525 267d62 19506->19525 19510 267a86 19508->19510 19510->19513 19533 267dfd 19510->19533 19514 267bbc 19513->19514 19515 265986 _Ungetc 41 API calls 19514->19515 19516 267bcb 19515->19516 19517 267c71 19516->19517 19518 267bde 19516->19518 19519 268935 ___scrt_uninitialize_crt 66 API calls 19517->19519 19520 267bfb 19518->19520 19523 267c22 19518->19523 19522 267aa4 19519->19522 19521 268935 ___scrt_uninitialize_crt 66 API calls 19520->19521 19521->19522 19523->19522 19538 269412 19523->19538 19526 267d7c 19525->19526 19527 267d78 19525->19527 19528 267dcb 19526->19528 19529 26afbf ___scrt_uninitialize_crt 41 API calls 19526->19529 19527->19505 19528->19505 19530 267d9d 19529->19530 19530->19528 19531 267da5 SetFilePointerEx 19530->19531 19531->19528 19532 267dbc GetFileSizeEx 19531->19532 19532->19528 19534 264859 _unexpected 14 API calls 19533->19534 19535 267e1a 19534->19535 19536 2648b6 ___free_lconv_mon 14 API calls 19535->19536 19537 267e24 19536->19537 19537->19513 19539 269426 _Fputc 19538->19539 19544 269269 19539->19544 19542 25ad0b _Fputc 41 API calls 19543 26944a 19542->19543 19543->19522 19547 269275 ___scrt_is_nonwritable_in_current_image 19544->19547 19545 26927d 19545->19542 19546 269353 19548 25af52 _Fputc 41 API calls 19546->19548 19547->19545 19547->19546 19549 2692d1 19547->19549 19548->19545 19555 26aee8 EnterCriticalSection 19549->19555 19551 2692d7 19553 2692fc 19551->19553 19556 26938f 19551->19556 19562 26934b 19553->19562 19555->19551 19557 26afbf ___scrt_uninitialize_crt 41 API calls 19556->19557 19558 2693a1 19557->19558 19559 2693bd SetFilePointerEx 19558->19559 19561 2693a9 ___scrt_uninitialize_crt 19558->19561 19560 2693d5 GetLastError 19559->19560 19559->19561 19560->19561 19561->19553 19565 26af0b LeaveCriticalSection 19562->19565 19564 269351 19564->19545 19565->19564 21741 2552d8 21744 2551ac 21741->21744 21743 2552e3 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 21745 2551dd 21744->21745 21746 2551ef 21745->21746 21748 255737 21745->21748 21746->21743 21749 255741 21748->21749 21750 25575f 21748->21750 21751 25541e 69 API calls 21749->21751 21750->21746 21752 25574e 21751->21752 21754 25f1a4 21752->21754 21755 25f1b7 _Fputc 21754->21755 21760 25f07f 21755->21760 21757 25f1c3 21758 25ad0b _Fputc 41 API calls 21757->21758 21759 25f1cf 21758->21759 21759->21750 21761 25f08b ___scrt_is_nonwritable_in_current_image 21760->21761 21762 25f095 21761->21762 21763 25f0b8 21761->21763 21764 25af52 _Fputc 41 API calls 21762->21764 21765 25f0b0 21763->21765 21771 25e984 EnterCriticalSection 21763->21771 21764->21765 21765->21757 21767 25f0d6 21772 25f116 21767->21772 21769 25f0e3 21786 25f10e 21769->21786 21771->21767 21773 25f146 21772->21773 21774 25f123 21772->21774 21776 25f13e 21773->21776 21777 25f411 ___scrt_uninitialize_crt 66 API calls 21773->21777 21775 25af52 _Fputc 41 API calls 21774->21775 21775->21776 21776->21769 21778 25f15e 21777->21778 21789 267618 21778->21789 21781 265986 _Ungetc 41 API calls 21782 25f172 21781->21782 21793 267eea 21782->21793 21785 2648b6 ___free_lconv_mon 14 API calls 21785->21776 21835 25e998 LeaveCriticalSection 21786->21835 21788 25f114 21788->21765 21790 25f166 21789->21790 21791 26762f 21789->21791 21790->21781 21791->21790 21792 2648b6 ___free_lconv_mon 14 API calls 21791->21792 21792->21790 21796 25f179 21793->21796 21797 267f13 21793->21797 21794 267f62 21795 25af52 _Fputc 41 API calls 21794->21795 21795->21796 21796->21776 21796->21785 21797->21794 21798 267f3a 21797->21798 21800 267e59 21798->21800 21801 267e65 ___scrt_is_nonwritable_in_current_image 21800->21801 21808 26aee8 EnterCriticalSection 21801->21808 21803 267e73 21804 267ea4 21803->21804 21809 267f8d 21803->21809 21822 267ede 21804->21822 21808->21803 21810 26afbf ___scrt_uninitialize_crt 41 API calls 21809->21810 21811 267f9d 21810->21811 21812 267fa3 21811->21812 21814 267fd5 21811->21814 21816 26afbf ___scrt_uninitialize_crt 41 API calls 21811->21816 21825 26af2e 21812->21825 21814->21812 21815 26afbf ___scrt_uninitialize_crt 41 API calls 21814->21815 21817 267fe1 CloseHandle 21815->21817 21818 267fcc 21816->21818 21817->21812 21819 267fed GetLastError 21817->21819 21820 26afbf ___scrt_uninitialize_crt 41 API calls 21818->21820 21819->21812 21820->21814 21821 267ffb ___scrt_uninitialize_crt 21821->21804 21834 26af0b LeaveCriticalSection 21822->21834 21824 267ec7 21824->21796 21826 26afa4 21825->21826 21827 26af3d 21825->21827 21828 25e84d __dosmaperr 14 API calls 21826->21828 21827->21826 21833 26af67 21827->21833 21829 26afa9 21828->21829 21830 25e83a __dosmaperr 14 API calls 21829->21830 21831 26af94 21830->21831 21831->21821 21832 26af8e SetStdHandle 21832->21831 21833->21831 21833->21832 21834->21824 21835->21788 21844 2536da 21845 25370a 21844->21845 21852 254313 21845->21852 21850 2565b4 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 21851 253741 21850->21851 21887 2542e5 21852->21887 21855 252e67 21856 252e99 21855->21856 21857 251e1a 73 API calls 21856->21857 21858 252eef std::ios_base::_Ios_base_dtor 21857->21858 21859 252036 43 API calls 21858->21859 21860 252f07 21859->21860 21861 251f0c 75 API calls 21860->21861 21875 252f3f std::ios_base::_Ios_base_dtor 21861->21875 21862 252ff6 21865 252ffd 21862->21865 21866 25304c 21862->21866 21863 25309e 21867 253278 70 API calls 21863->21867 21864 252fba 21864->21862 21864->21863 21868 2532ad 70 API calls 21865->21868 21869 253278 70 API calls 21866->21869 21870 253047 21867->21870 21871 253015 21868->21871 21872 25306f 21869->21872 21873 253278 70 API calls 21870->21873 21874 253278 70 API calls 21871->21874 21876 2532ad 70 API calls 21872->21876 21877 2530fe 21873->21877 21874->21870 21875->21864 21878 254039 43 API calls 21875->21878 21876->21870 21879 2532ad 70 API calls 21877->21879 21878->21875 21880 25312e 21879->21880 21881 2533ef std::_Throw_Cpp_error 41 API calls 21880->21881 21882 25313a 21881->21882 21883 253415 41 API calls 21882->21883 21884 253143 21883->21884 21885 2565b4 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 21884->21885 21886 253154 21885->21886 21886->21850 21888 2542fc _swprintf 21887->21888 21891 25d75f 21888->21891 21892 25d773 _Fputc 21891->21892 21897 25bdd1 21892->21897 21895 25ad0b _Fputc 41 API calls 21896 253719 21895->21896 21896->21855 21898 25be00 21897->21898 21899 25bddd 21897->21899 21904 25be27 21898->21904 21905 25bc5d 21898->21905 21900 25af52 _Fputc 41 API calls 21899->21900 21903 25bdf8 21900->21903 21901 25af52 _Fputc 41 API calls 21901->21903 21903->21895 21904->21901 21904->21903 21906 25bcac 21905->21906 21907 25bc89 21905->21907 21906->21907 21910 25bcb4 _swprintf 21906->21910 21908 25af52 _Fputc 41 API calls 21907->21908 21915 25bca1 21908->21915 21909 2565b4 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 21911 25bdcf 21909->21911 21916 25cb06 21910->21916 21911->21904 21915->21909 21933 25d6c7 21916->21933 21918 25cb2d 21920 25af52 _Fputc 41 API calls 21918->21920 21919 25bd35 21930 25c957 21919->21930 21920->21919 21923 25baf0 _Fputc 41 API calls 21925 25cb1f _swprintf 21923->21925 21925->21918 21925->21919 21925->21923 21926 25cd6e 21925->21926 21937 25ca8e 21925->21937 21940 25cde6 21925->21940 21974 25cf44 21925->21974 21927 25af52 _Fputc 41 API calls 21926->21927 21928 25cd8a 21927->21928 21929 25af52 _Fputc 41 API calls 21928->21929 21929->21919 21931 2648b6 ___free_lconv_mon 14 API calls 21930->21931 21932 25c967 21931->21932 21932->21915 21934 25d6eb 21933->21934 21935 25d6d2 21933->21935 21934->21925 21936 25af52 _Fputc 41 API calls 21935->21936 21936->21934 22003 25bf3a 21937->22003 21939 25cac9 21939->21925 21941 25ce04 21940->21941 21942 25cded 21940->21942 21943 25af52 _Fputc 41 API calls 21941->21943 21951 25ce43 21941->21951 21944 25cfdc 21942->21944 21945 25cf6b 21942->21945 21942->21951 21948 25ce38 21943->21948 21946 25cfe1 21944->21946 21947 25d02f 21944->21947 21949 25cf71 21945->21949 21950 25d009 21945->21950 21952 25d023 21946->21952 21953 25cfe3 21946->21953 21947->21950 21956 25cfae 21947->21956 21973 25cf93 _swprintf 21947->21973 21948->21925 21949->21956 21960 25cf77 21949->21960 22045 25c2e4 21950->22045 21951->21925 22062 25d640 21952->22062 21955 25cfe8 21953->21955 21965 25cf85 21953->21965 21955->21950 21959 25cfed 21955->21959 21972 25cfa7 _swprintf 21956->21972 22026 25c461 21956->22026 21963 25d000 21959->21963 21964 25cff2 21959->21964 21962 25cfc3 21960->21962 21960->21965 21960->21973 21962->21972 22033 25d50a 21962->22033 22041 25d59f 21963->22041 21964->21972 22037 25d623 21964->22037 21965->21972 21965->21973 22052 25d380 21965->22052 21967 2565b4 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 21970 25d2d0 21967->21970 21970->21925 21971 265678 _Fputc 43 API calls 21971->21973 21972->21967 21973->21971 21973->21972 21975 25cfdc 21974->21975 21976 25cf6b 21974->21976 21977 25cfe1 21975->21977 21978 25d02f 21975->21978 21979 25cf71 21976->21979 21980 25d009 21976->21980 21981 25d023 21977->21981 21982 25cfe3 21977->21982 21978->21980 21986 25cfae 21978->21986 22002 25cf93 _swprintf 21978->22002 21979->21986 21991 25cf77 21979->21991 21987 25c2e4 _swprintf 42 API calls 21980->21987 21985 25d640 _swprintf 42 API calls 21981->21985 21983 25cf85 21982->21983 21984 25cfe8 21982->21984 21988 25d380 _swprintf 44 API calls 21983->21988 22001 25cfa7 _swprintf 21983->22001 21983->22002 21984->21980 21989 25cfed 21984->21989 21985->22002 21994 25c461 _swprintf 42 API calls 21986->21994 21986->22001 21987->22002 21988->22002 21992 25d000 21989->21992 21993 25cff2 21989->21993 21990 25cfc3 21997 25d50a _swprintf 43 API calls 21990->21997 21990->22001 21991->21983 21991->21990 21991->22002 21996 25d59f _swprintf 41 API calls 21992->21996 21998 25d623 _swprintf 42 API calls 21993->21998 21993->22001 21994->22002 21995 2565b4 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 21999 25d2d0 21995->21999 21996->22002 21997->22002 21998->22002 21999->21925 22000 265678 _Fputc 43 API calls 22000->22002 22001->21995 22002->22000 22002->22001 22013 25bb4b 22003->22013 22005 25bf61 22007 25af52 _Fputc 41 API calls 22005->22007 22006 25bf4c 22006->22005 22008 25bf7c _swprintf 22006->22008 22010 25bf94 22006->22010 22007->22008 22008->21939 22009 25c02b 22011 25ba97 _swprintf 41 API calls 22009->22011 22010->22009 22020 25ba97 22010->22020 22011->22008 22014 25bb50 22013->22014 22015 25bb63 22013->22015 22016 25e84d __dosmaperr 14 API calls 22014->22016 22015->22006 22017 25bb55 22016->22017 22018 25afcf __strnicoll 41 API calls 22017->22018 22019 25bb60 22018->22019 22019->22006 22021 25babc 22020->22021 22022 25baa8 22020->22022 22021->22009 22022->22021 22023 25e84d __dosmaperr 14 API calls 22022->22023 22024 25bab1 22023->22024 22025 25afcf __strnicoll 41 API calls 22024->22025 22025->22021 22027 25c475 _swprintf 22026->22027 22028 25c497 22027->22028 22030 25c4be 22027->22030 22029 25af52 _Fputc 41 API calls 22028->22029 22032 25c4b4 _swprintf 22029->22032 22030->22032 22065 25be88 22030->22065 22032->21973 22035 25d525 _swprintf 22033->22035 22034 25d55c 22034->21973 22035->22034 22036 265678 _Fputc 43 API calls 22035->22036 22036->22034 22038 25d62f 22037->22038 22079 25c167 22038->22079 22040 25d63f 22040->21973 22042 25d5b4 _swprintf 22041->22042 22043 25af52 _Fputc 41 API calls 22042->22043 22044 25d5d5 22042->22044 22043->22044 22044->21973 22046 25c2f8 _swprintf 22045->22046 22047 25c31a 22046->22047 22049 25c341 22046->22049 22048 25af52 _Fputc 41 API calls 22047->22048 22051 25c337 _swprintf 22048->22051 22050 25be88 _swprintf 15 API calls 22049->22050 22049->22051 22050->22051 22051->21973 22053 25d39a 22052->22053 22054 25be88 _swprintf 15 API calls 22053->22054 22055 25d3db _swprintf 22054->22055 22086 2654f7 22055->22086 22058 25d489 _swprintf 22060 25baf0 _Fputc 41 API calls 22058->22060 22061 25d4bc _swprintf 22058->22061 22059 25baf0 _Fputc 41 API calls 22059->22058 22060->22061 22061->21973 22063 25c461 _swprintf 42 API calls 22062->22063 22064 25d655 22063->22064 22064->21973 22066 25beaf 22065->22066 22067 25be9d 22065->22067 22066->22067 22068 264ae0 __strnicoll 15 API calls 22066->22068 22067->22032 22069 25bed3 22068->22069 22070 25bee6 22069->22070 22071 25bedb 22069->22071 22076 25c971 22070->22076 22072 2648b6 ___free_lconv_mon 14 API calls 22071->22072 22072->22067 22075 2648b6 ___free_lconv_mon 14 API calls 22075->22067 22077 2648b6 ___free_lconv_mon 14 API calls 22076->22077 22078 25bef1 22077->22078 22078->22075 22080 25c17b _swprintf 22079->22080 22081 25c1c4 22080->22081 22082 25c19d 22080->22082 22084 25be88 _swprintf 15 API calls 22081->22084 22085 25c1ba _swprintf 22081->22085 22083 25af52 _Fputc 41 API calls 22082->22083 22083->22085 22084->22085 22085->22040 22087 26552c 22086->22087 22088 265508 22086->22088 22087->22088 22090 26555f _swprintf 22087->22090 22089 25af52 _Fputc 41 API calls 22088->22089 22102 25d465 22089->22102 22091 2655c7 22090->22091 22092 265598 22090->22092 22093 2655f0 22091->22093 22094 2655f5 22091->22094 22105 26539b 22092->22105 22096 265657 22093->22096 22097 26561d 22093->22097 22113 264c33 22094->22113 22140 264f5f 22096->22140 22099 265622 22097->22099 22100 26563d 22097->22100 22123 2652cc 22099->22123 22133 265148 22100->22133 22102->22058 22102->22059 22106 2653b1 22105->22106 22107 2653bc 22105->22107 22106->22102 22108 2631a8 ___std_exception_copy 41 API calls 22107->22108 22109 265417 22108->22109 22110 265421 22109->22110 22111 25affc _Deallocate 11 API calls 22109->22111 22110->22102 22112 26542f 22111->22112 22114 264c46 22113->22114 22115 264c77 22114->22115 22116 264c55 22114->22116 22118 264c91 22115->22118 22120 264ce6 22115->22120 22117 25af52 _Fputc 41 API calls 22116->22117 22122 264c6d _swprintf __alldvrm codecvt _strrchr 22117->22122 22119 264f5f _swprintf 43 API calls 22118->22119 22119->22122 22121 25baf0 _Fputc 41 API calls 22120->22121 22120->22122 22121->22122 22122->22102 22124 26dad1 _swprintf 43 API calls 22123->22124 22125 2652fc 22124->22125 22126 26d9d7 _swprintf 41 API calls 22125->22126 22127 26533a 22126->22127 22128 26537a 22127->22128 22129 265353 22127->22129 22132 265341 22127->22132 22130 265003 _swprintf 41 API calls 22128->22130 22131 2651de _swprintf 41 API calls 22129->22131 22130->22132 22131->22132 22132->22102 22134 26dad1 _swprintf 43 API calls 22133->22134 22135 265177 22134->22135 22136 26d9d7 _swprintf 41 API calls 22135->22136 22137 2651b8 22136->22137 22138 2651bf 22137->22138 22139 2651de _swprintf 41 API calls 22137->22139 22138->22102 22139->22138 22141 26dad1 _swprintf 43 API calls 22140->22141 22142 264f89 22141->22142 22143 26d9d7 _swprintf 41 API calls 22142->22143 22144 264fd7 22143->22144 22145 264fde 22144->22145 22146 265003 _swprintf 41 API calls 22144->22146 22145->22102 22146->22145

                                                                                                                                    Executed Functions

                                                                                                                                    Function 0026650C Relevance: .0, Instructions: 29COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 57fba0a0e8fca70ba91267858fdd6062cbd777d378e32fe33648f31ae7b35ac6
                                                                                                                                    • Instruction ID: 4b8a0a8433f9b2cce0f4e20960bac85797d55ea9c35a4fddec325a202fb35bb5
                                                                                                                                    • Opcode Fuzzy Hash: 57fba0a0e8fca70ba91267858fdd6062cbd777d378e32fe33648f31ae7b35ac6
                                                                                                                                    • Instruction Fuzzy Hash: 8DF0E572A21230DBCB12DB4CC54AE5973ACEB05B51F510096F402E7540C2B0DE50CBC0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00265EAF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 0 265eaf-265ebb 1 265f4d-265f50 0->1 2 265f56 1->2 3 265ec0-265ed1 1->3 4 265f58-265f5c 2->4 5 265ed3-265ed6 3->5 6 265ede-265ef7 LoadLibraryExW 3->6 7 265f76-265f78 5->7 8 265edc 5->8 9 265f5d-265f6d 6->9 10 265ef9-265f02 GetLastError 6->10 7->4 12 265f4a 8->12 9->7 11 265f6f-265f70 FreeLibrary 9->11 13 265f04-265f16 call 263288 10->13 14 265f3b-265f48 10->14 11->7 12->1 13->14 17 265f18-265f2a call 263288 13->17 14->12 17->14 20 265f2c-265f39 LoadLibraryExW 17->20 20->9 20->14
                                                                                                                                    APIs
                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,0010445D,?,00265FBC,?,?,?,00000000), ref: 00265F70
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                    • String ID: api-ms-$ext-ms-
                                                                                                                                    • API String ID: 3664257935-537541572
                                                                                                                                    • Opcode ID: fd942019d21e8f25ce32c289efcf211c124255be8ff4b35244afe4a557d19d51
                                                                                                                                    • Instruction ID: a6aa1618688ba9d999b03fe62dbe2e47ebda94ceff6b4dfedfe97b712ebc8e3d
                                                                                                                                    • Opcode Fuzzy Hash: fd942019d21e8f25ce32c289efcf211c124255be8ff4b35244afe4a557d19d51
                                                                                                                                    • Instruction Fuzzy Hash: 7221E731A22A22EBCB219F60FC58A5A3758EF53760F254111F919A7690E770EE90C6D0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00273416 Relevance: 8.1, APIs: 3, Strings: 1, Instructions: 1058sleepmemoryCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00251FDD: _strlen.LIBCMT ref: 00251FF5
                                                                                                                                    • VirtualProtect.KERNELBASE(002CD040,000004AC,00000040,?,006:107@4:@00007:277@0:@004:@04:@008:@08:@08:@8:@7:2@3:@9:193@4:@), ref: 00273468
                                                                                                                                    • FreeConsole.KERNELBASE ref: 0027346E
                                                                                                                                    • Sleep.KERNELBASE(0000012C,0027339A), ref: 0027348E
                                                                                                                                    Strings
                                                                                                                                    • 006:107@4:@00007:277@0:@004:@04:@008:@08:@08:@8:@7:2@3:@9:193@4:@, xrefs: 00273427
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ConsoleFreeProtectSleepVirtual_strlen
                                                                                                                                    • String ID: 006:107@4:@00007:277@0:@004:@04:@008:@08:@08:@8:@7:2@3:@9:193@4:@
                                                                                                                                    • API String ID: 3830758701-32248209
                                                                                                                                    • Opcode ID: d7c06c8a34fa56406f6a713c2d9b8cce1f59a0a00bf56ef38d0d976aadf80e7b
                                                                                                                                    • Instruction ID: 0d2303c7c5460a745385490e9cfcd27b057a9a40e95dd1972bd55608ad6a8bf1
                                                                                                                                    • Opcode Fuzzy Hash: d7c06c8a34fa56406f6a713c2d9b8cce1f59a0a00bf56ef38d0d976aadf80e7b
                                                                                                                                    • Instruction Fuzzy Hash: 0C11A331A612049BCB18FB74DC5AFED77B0AF05311F508025F509B61D1EF749A69CB19
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 002672D2 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 44 2672d2-2672eb 45 267301-267306 44->45 46 2672ed-2672fd call 260679 44->46 48 267315-26733b call 269544 45->48 49 267308-267312 45->49 46->45 52 2672ff 46->52 54 267341-26734c 48->54 55 2674ae-2674bf call 2565b4 48->55 49->48 52->45 57 267352-267357 54->57 58 2674a1 54->58 60 26736c-267377 call 264ae0 57->60 61 267359-267362 call 256b50 57->61 62 2674a3 58->62 69 267382-267386 60->69 70 267379 60->70 61->69 72 267364-26736a 61->72 63 2674a5-2674ac call 256396 62->63 63->55 69->62 74 26738c-2673a3 call 269544 69->74 73 26737f 70->73 72->73 73->69 74->62 77 2673a9-2673bb call 266389 74->77 79 2673c0-2673c4 77->79 80 2673c6-2673ce 79->80 81 2673df-2673e1 79->81 82 2673d0-2673d5 80->82 83 267408-267414 80->83 81->62 86 267487-267489 82->86 87 2673db-2673dd 82->87 84 267416-267418 83->84 85 267493 83->85 88 26742d-267438 call 264ae0 84->88 89 26741a-267423 call 256b50 84->89 90 267495-26749c call 256396 85->90 86->63 87->81 91 2673e6-267400 call 266389 87->91 88->90 102 26743a 88->102 89->90 101 267425-26742b 89->101 90->81 91->86 100 267406 91->100 100->81 103 267440-267445 101->103 102->103 103->90 104 267447-26745f call 266389 103->104 104->90 107 267461-267468 104->107 108 26746a-26746b 107->108 109 26748b-267491 107->109 110 26746c-26747e call 2695c0 108->110 109->110 110->90 113 267480-267486 call 256396 110->113 113->86
                                                                                                                                    APIs
                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 00267359
                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 0026741A
                                                                                                                                    • __freea.LIBCMT ref: 00267481
                                                                                                                                      • Part of subcall function 00264AE0: HeapAlloc.KERNEL32(00000000,?,?,?,00000003,002636BA), ref: 00264B12
                                                                                                                                    • __freea.LIBCMT ref: 00267496
                                                                                                                                    • __freea.LIBCMT ref: 002674A6
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1096550386-0
                                                                                                                                    • Opcode ID: c0dfb833ba1738298b99a56290bf61d9b341bee48cae83ee3ebe9bea16e7418a
                                                                                                                                    • Instruction ID: 1f76d3643d243731411197d843470805608a833881f5d0f5b565a4dfbae4aa94
                                                                                                                                    • Opcode Fuzzy Hash: c0dfb833ba1738298b99a56290bf61d9b341bee48cae83ee3ebe9bea16e7418a
                                                                                                                                    • Instruction Fuzzy Hash: 3C51C572624207AFEB219F64EC85EBF7BA9EF44758B150168FC04D7250EB70CCB09A60
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0025DE3B Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 116 25de3b-25de46 117 25de5c-25de6f call 25ddeb 116->117 118 25de48-25de5b call 25e84d call 25afcf 116->118 123 25de71-25de8e CreateThread 117->123 124 25de9d 117->124 126 25de90-25de9c GetLastError call 25e7f3 123->126 127 25deac-25deb1 123->127 128 25de9f-25deab call 25dd5d 124->128 126->124 132 25deb3-25deb6 127->132 133 25deb8-25debc 127->133 132->133 133->128
                                                                                                                                    APIs
                                                                                                                                    • CreateThread.KERNELBASE(00000000,?,Function_0000DCDF,00000000,?,00000000), ref: 0025DE84
                                                                                                                                    • GetLastError.KERNEL32(?,00000000,05D1745D,?,?,?,?,?,?,?,002534EF,?,00000000,?,?,?), ref: 0025DE90
                                                                                                                                    • __dosmaperr.LIBCMT ref: 0025DE97
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateErrorLastThread__dosmaperr
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2744730728-0
                                                                                                                                    • Opcode ID: e6be9660b342fb0f0d6c0a732b12d48450c771916e5e8bcc391d27c819632d9e
                                                                                                                                    • Instruction ID: 40d13cf01dec2cf537eb7a5686cbc5de1d624b807ce95400438007afdfbe1889
                                                                                                                                    • Opcode Fuzzy Hash: e6be9660b342fb0f0d6c0a732b12d48450c771916e5e8bcc391d27c819632d9e
                                                                                                                                    • Instruction Fuzzy Hash: F801B17252121AEFDF29AFA0DC06AAE7BB5FF11352F000058FC0196250DB70DE68DB99
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00254590 Relevance: 4.5, APIs: 3, Instructions: 33threadCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 136 254590-2545a5 WaitForSingleObjectEx 137 2545a7-2545ac 136->137 138 2545d9-2545db 136->138 139 2545c4-2545d7 FindCloseChangeNotification 137->139 140 2545ae-2545bd GetExitCodeThread 137->140 141 2545dc-2545de 138->141 139->141 140->138 142 2545bf-2545c2 140->142 142->139
                                                                                                                                    APIs
                                                                                                                                    • WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,002540CE,?,?,00000000,?,?,00000000,?,?,00252FAB), ref: 0025459C
                                                                                                                                    • GetExitCodeThread.KERNEL32(?,?,?,?,?,002540CE,?,?,00000000,?,?,00000000,?,?,00252FAB,?), ref: 002545B5
                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(?,?,?,?,002540CE,?,?,00000000,?,?,00000000,?,?,00252FAB,?,00000001), ref: 002545C7
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ChangeCloseCodeExitFindNotificationObjectSingleThreadWait
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3816883391-0
                                                                                                                                    • Opcode ID: c96c93bfa9e473d4ed29108f3d82edf6d88d892fb6441880183363e74666f663
                                                                                                                                    • Instruction ID: e22d8b1f7ea708cdd5ba56ac238081b47cb35de9dc1b701f708ead583933777f
                                                                                                                                    • Opcode Fuzzy Hash: c96c93bfa9e473d4ed29108f3d82edf6d88d892fb6441880183363e74666f663
                                                                                                                                    • Instruction Fuzzy Hash: C7F08232514119EBDB10AF64EC09B9D7B64EF11775F640310FD26D61E0E730DFA4AA84
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0025DD94 Relevance: 4.5, APIs: 3, Instructions: 30threadCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 143 25dd94-25dda1 call 263751 146 25dde1-25dde4 ExitThread 143->146 147 25dda3-25ddab 143->147 147->146 148 25ddad-25ddb1 147->148 149 25ddb3 call 266452 148->149 150 25ddb8-25ddbe 148->150 149->150 151 25ddc0-25ddc2 150->151 152 25ddcb-25ddd1 150->152 151->152 154 25ddc4-25ddc5 CloseHandle 151->154 152->146 155 25ddd3-25ddd5 152->155 154->152 155->146 156 25ddd7-25dddb FreeLibraryAndExitThread 155->156 156->146
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00263751: GetLastError.KERNEL32(00000000,?,0025E852,002648AB,?,?,0026364D,00000001,00000364,?,00000002,000000FF,?,0025DD04,0027D328,0000000C), ref: 00263755
                                                                                                                                      • Part of subcall function 00263751: SetLastError.KERNEL32(00000000), ref: 002637F7
                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,0025DECB,?,?,0025DD3D,00000000), ref: 0025DDC5
                                                                                                                                    • FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,0025DECB,?,?,0025DD3D,00000000), ref: 0025DDDB
                                                                                                                                    • ExitThread.KERNEL32 ref: 0025DDE4
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorExitLastThread$CloseFreeHandleLibrary
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1991824761-0
                                                                                                                                    • Opcode ID: d188dd0d3229a43d224841041a867e83b96b63ebd6e38da7faaaf4f20caa863c
                                                                                                                                    • Instruction ID: 499abb0a4a982cf8067767d5efc8b41724420dab17808af0e6f11b4cb4b5bcb3
                                                                                                                                    • Opcode Fuzzy Hash: d188dd0d3229a43d224841041a867e83b96b63ebd6e38da7faaaf4f20caa863c
                                                                                                                                    • Instruction Fuzzy Hash: 5DF089331126016BCB356F75CC0C65677B9AF01326F154654FC29C71B0DB30DCA9C655
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0026136F Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • GetCurrentProcess.KERNEL32(00000002,?,00261369,0025DFC6,0025DFC6,?,00000002,0010445D,0025DFC6,00000002), ref: 00261380
                                                                                                                                    • TerminateProcess.KERNEL32(00000000,?,00261369,0025DFC6,0025DFC6,?,00000002,0010445D,0025DFC6,00000002), ref: 00261387
                                                                                                                                    • ExitProcess.KERNEL32 ref: 00261399
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1703294689-0
                                                                                                                                    • Opcode ID: 54d3b660b0c4bdf197fd1625e4819a70eaaa2bab6d4f4536350e4b2adc032b1b
                                                                                                                                    • Instruction ID: b7b51a5ee5e66055ed47ca04d36fc7866b441b530a24aff1c590cae0d1744f39
                                                                                                                                    • Opcode Fuzzy Hash: 54d3b660b0c4bdf197fd1625e4819a70eaaa2bab6d4f4536350e4b2adc032b1b
                                                                                                                                    • Instruction Fuzzy Hash: 84D06C32010208ABCF053FA1FC0D9593F2ABA80342B088051BA0A4A131CB32A9F29A91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00268A3D Relevance: 3.2, APIs: 2, Instructions: 191fileCOMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 164 268a3d-268a5c 165 268c36 164->165 166 268a62-268a64 164->166 167 268c38-268c3c 165->167 168 268a66-268a85 call 25af52 166->168 169 268a90-268ab6 166->169 175 268a88-268a8b 168->175 170 268abc-268ac2 169->170 171 268ab8-268aba 169->171 170->168 174 268ac4-268ace 170->174 171->170 171->174 176 268ad0-268adb call 2694b0 174->176 177 268ade-268ae9 call 2685c1 174->177 175->167 176->177 182 268b2b-268b3d 177->182 183 268aeb-268af0 177->183 184 268b8e-268bae WriteFile 182->184 185 268b3f-268b45 182->185 186 268b15-268b29 call 268187 183->186 187 268af2-268af6 183->187 188 268bb0-268bb6 GetLastError 184->188 189 268bb9 184->189 191 268b47-268b4a 185->191 192 268b7c-268b87 call 26863f 185->192 205 268b0e-268b10 186->205 193 268bfe-268c10 187->193 194 268afc-268b0b call 268559 187->194 188->189 197 268bbc-268bc7 189->197 198 268b4c-268b4f 191->198 199 268b6a-268b7a call 268803 191->199 204 268b8c 192->204 200 268c12-268c18 193->200 201 268c1a-268c2c 193->201 194->205 206 268c31-268c34 197->206 207 268bc9-268bce 197->207 198->193 208 268b55-268b60 call 26871a 198->208 210 268b65-268b68 199->210 200->165 200->201 201->175 204->210 205->197 206->167 211 268bd0-268bd5 207->211 212 268bfc 207->212 208->210 210->205 215 268bd7-268be9 211->215 216 268bee-268bf7 call 25e816 211->216 212->193 215->175 216->175
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00268187: GetConsoleOutputCP.KERNEL32(0010445D,00000000,00000000,00000000), ref: 002681EA
                                                                                                                                    • WriteFile.KERNEL32(?,00000000,?,0027D798,00000000,0000000C,00000000,00000000,?,00000000,0027D798,00000010,0025FC7A,00000000,00000000,00000000), ref: 00268BA6
                                                                                                                                    • GetLastError.KERNEL32(?,00000000), ref: 00268BB0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ConsoleErrorFileLastOutputWrite
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2915228174-0
                                                                                                                                    • Opcode ID: 7b0823b62b103811b9c1602bd6c86641a214e466b9681bd497f2cf6e8731a73b
                                                                                                                                    • Instruction ID: 3388feecb5813d1a025adc420cb779b3b2faf6a109edc8cdac2c7b6b12fa4f61
                                                                                                                                    • Opcode Fuzzy Hash: 7b0823b62b103811b9c1602bd6c86641a214e466b9681bd497f2cf6e8731a73b
                                                                                                                                    • Instruction Fuzzy Hash: 7961A6B1D20149AFDF15CFA8C884EEEBBB9EF09318F144245E804E7252DB71C9A5CB64
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0026A6CB Relevance: 3.2, APIs: 2, Instructions: 177COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 219 26a6cb-26a6f3 call 26a1fb 222 26a8bb-26a8bc call 26a26c 219->222 223 26a6f9-26a6ff 219->223 226 26a8c1-26a8c3 222->226 224 26a702-26a708 223->224 227 26a70e-26a71a 224->227 228 26a80a-26a829 call 258f70 224->228 229 26a8c4-26a8d2 call 2565b4 226->229 227->224 230 26a71c-26a722 227->230 238 26a82c-26a831 228->238 233 26a802-26a805 230->233 234 26a728-26a734 IsValidCodePage 230->234 233->229 234->233 237 26a73a-26a741 234->237 241 26a743-26a74f 237->241 242 26a769-26a776 GetCPInfo 237->242 239 26a833-26a838 238->239 240 26a86e-26a878 238->240 243 26a83a-26a842 239->243 244 26a86b 239->244 240->238 245 26a87a-26a8a4 call 26a1bd 240->245 246 26a753-26a75f call 26a2cf 241->246 247 26a7f6-26a7fc 242->247 248 26a778-26a797 call 258f70 242->248 249 26a844-26a847 243->249 250 26a863-26a869 243->250 244->240 259 26a8a5-26a8b4 245->259 256 26a764 246->256 247->222 247->233 248->246 260 26a799-26a7a0 248->260 254 26a849-26a84f 249->254 250->239 250->244 254->250 258 26a851-26a861 254->258 256->226 258->250 258->254 259->259 263 26a8b6 259->263 261 26a7a2-26a7a7 260->261 262 26a7cc-26a7cf 260->262 261->262 264 26a7a9-26a7b1 261->264 265 26a7d4-26a7db 262->265 263->222 266 26a7c4-26a7ca 264->266 267 26a7b3-26a7ba 264->267 265->265 268 26a7dd-26a7f1 call 26a1bd 265->268 266->261 266->262 269 26a7bb-26a7c2 267->269 268->246 269->266 269->269
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0026A1FB: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 0026A226
                                                                                                                                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,0026A512,?,00000000,?,00000000,?), ref: 0026A72C
                                                                                                                                    • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,0026A512,?,00000000,?,00000000,?), ref: 0026A76E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CodeInfoPageValid
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 546120528-0
                                                                                                                                    • Opcode ID: f8c93dfbb9e8783d167fc496f279cc047b5a79ee591389880548a54f90906c33
                                                                                                                                    • Instruction ID: 8d7e521e129ec322bd750b6a558397d02291ccd6ba1d7f3b3e43e31ced4f2b25
                                                                                                                                    • Opcode Fuzzy Hash: f8c93dfbb9e8783d167fc496f279cc047b5a79ee591389880548a54f90906c33
                                                                                                                                    • Instruction Fuzzy Hash: 7B512570A103469EDB21CF75C885AAEFBF5EF81300F14446ED086A7252E7749996CF52
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00255A4E Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 272 255a4e-255a6e 273 255a70-255a77 call 255a34 272->273 274 255a79-255a80 272->274 282 255ace-255adc call 2565b4 273->282 276 255aa2-255aa6 274->276 277 255a82-255a8c 274->277 280 255aa8-255ab7 call 2556aa 276->280 281 255acb 276->281 277->276 279 255a8e-255aa0 277->279 279->282 287 255adf-255b14 280->287 288 255ab9-255abd call 254f35 280->288 281->282 294 255b16-255b19 287->294 295 255b3a-255b42 287->295 291 255ac2-255ac6 288->291 291->281 292 255ac8 291->292 292->281 294->295 298 255b1b-255b1f 294->298 296 255b44-255b55 call 25fd03 295->296 297 255b5b-255b65 295->297 296->281 296->297 297->281 300 255b6b-255b6e 297->300 298->281 301 255b21-255b30 call 254f35 298->301 300->282 301->281 305 255b32-255b38 301->305 305->281
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Fputc
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3078413507-0
                                                                                                                                    • Opcode ID: dbbb5526558c4ac3f756023ee40c31dabc7d35c493743e3b3bae6cee53ca9999
                                                                                                                                    • Instruction ID: c20e87860d4314215841a65438118f96a202e1a55a31e73d62838c2d186aadd3
                                                                                                                                    • Opcode Fuzzy Hash: dbbb5526558c4ac3f756023ee40c31dabc7d35c493743e3b3bae6cee53ca9999
                                                                                                                                    • Instruction Fuzzy Hash: B2418236920A2BABCF15DF64C4D48EDB7B8FF08315B584126F802A7640E731ED69CB94
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0026863F Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 306 26863f-268694 call 257320 309 268696 306->309 310 268709-268719 call 2565b4 306->310 312 26869c 309->312 314 2686a2-2686a4 312->314 315 2686a6-2686ab 314->315 316 2686be-2686e3 WriteFile 314->316 319 2686b4-2686bc 315->319 320 2686ad-2686b3 315->320 317 2686e5-2686f0 316->317 318 268701-268707 GetLastError 316->318 317->310 321 2686f2-2686fd 317->321 318->310 319->314 319->316 320->319 321->312 322 2686ff 321->322 322->310
                                                                                                                                    APIs
                                                                                                                                    • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,00000000,?,00268B8C,00000000,00000000,00000000,?,0000000C,00000000), ref: 002686DB
                                                                                                                                    • GetLastError.KERNEL32(?,00268B8C,00000000,00000000,00000000,?,0000000C,00000000,00000000,?,00000000,0027D798,00000010,0025FC7A,00000000,00000000), ref: 00268701
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorFileLastWrite
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 442123175-0
                                                                                                                                    • Opcode ID: 108ce720821c91f81d4774ddf1ad890a9bf025172972f7329ddace0fe1a8f06c
                                                                                                                                    • Instruction ID: 216da1b649ef86ab33d5d25b14c06f2a3cb93a672012738a396ffb0f5e5d062e
                                                                                                                                    • Opcode Fuzzy Hash: 108ce720821c91f81d4774ddf1ad890a9bf025172972f7329ddace0fe1a8f06c
                                                                                                                                    • Instruction Fuzzy Hash: 0121B474A102199BCF19CF19DC80AD9B7B9EB58305F2441A9E906D7211DB30DD968F60
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00265B9D Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 323 265b9d-265ba2 324 265ba4-265bbc 323->324 325 265bbe-265bc2 324->325 326 265bca-265bd3 324->326 325->326 329 265bc4-265bc8 325->329 327 265be5 326->327 328 265bd5-265bd8 326->328 333 265be7-265bf4 GetStdHandle 327->333 331 265be1-265be3 328->331 332 265bda-265bdf 328->332 330 265c3f-265c43 329->330 330->324 336 265c49-265c4c 330->336 331->333 332->333 334 265bf6-265bf8 333->334 335 265c21-265c33 333->335 334->335 337 265bfa-265c03 GetFileType 334->337 335->330 338 265c35-265c38 335->338 337->335 339 265c05-265c0e 337->339 338->330 340 265c16-265c19 339->340 341 265c10-265c14 339->341 340->330 342 265c1b-265c1f 340->342 341->330 342->330
                                                                                                                                    APIs
                                                                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00265BE9
                                                                                                                                    • GetFileType.KERNELBASE(00000000), ref: 00265BFB
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileHandleType
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3000768030-0
                                                                                                                                    • Opcode ID: d563486cb309aecc1daf2a814f1907284938f65579cc45b496383d6a7d64eea0
                                                                                                                                    • Instruction ID: 2f9beeb1402cd43db4b66cddaf52e89cb735172b0780107f98f7bbc1175482ac
                                                                                                                                    • Opcode Fuzzy Hash: d563486cb309aecc1daf2a814f1907284938f65579cc45b496383d6a7d64eea0
                                                                                                                                    • Instruction Fuzzy Hash: 9C11D331234F668AC7304E3E9CC8622BA95AB56374F380B1BE1B7861F1C774D9E69644
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0025DCDF Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • GetLastError.KERNEL32(0027D328,0000000C), ref: 0025DCF2
                                                                                                                                    • ExitThread.KERNEL32 ref: 0025DCF9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorExitLastThread
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1611280651-0
                                                                                                                                    • Opcode ID: 22b0f3f7749bc762bd50d65d9ce4c9839b6d55cd5787f45c7fdbd0cc9521f747
                                                                                                                                    • Instruction ID: 756301659d67ec0f59ca438e136cbe79125504833280c398b665d95d9b82eede
                                                                                                                                    • Opcode Fuzzy Hash: 22b0f3f7749bc762bd50d65d9ce4c9839b6d55cd5787f45c7fdbd0cc9521f747
                                                                                                                                    • Instruction Fuzzy Hash: 0EF0F671910205AFDB14BFB0D80EB6E7B75FF51701F140049F8099B252CB34A9A5CFA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00266389 Relevance: 3.0, APIs: 2, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 362 266389-266398 call 265e7b 365 2663c1-2663db call 2663e6 LCMapStringW 362->365 366 26639a-2663bf LCMapStringEx 362->366 370 2663e1-2663e3 365->370 366->370
                                                                                                                                    APIs
                                                                                                                                    • LCMapStringEx.KERNELBASE(?,002673C0,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 002663BD
                                                                                                                                    • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,002673C0,?,?,00000000,?,00000000), ref: 002663DB
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: String
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2568140703-0
                                                                                                                                    • Opcode ID: 60677cdbf17ff8216757779259a3e818684735584fd828014dc8a3e5c8a10f60
                                                                                                                                    • Instruction ID: c3486b0763345ccc6d917d3ee90d615e4f7655297e6d4f4634599ce684aa062b
                                                                                                                                    • Opcode Fuzzy Hash: 60677cdbf17ff8216757779259a3e818684735584fd828014dc8a3e5c8a10f60
                                                                                                                                    • Instruction Fuzzy Hash: B8F07A3241012ABBCF126F91EC09DDE7F26EF487A0F058011FA1965120CB32C9B2AB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 002540AA Relevance: 3.0, APIs: 2, Instructions: 28threadCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 371 2540aa-2540b3 372 2540b5-2540bd GetCurrentThreadId 371->372 373 2540e1 371->373 375 2540c3-2540d3 call 254590 372->375 376 2540bf-2540c1 372->376 374 2540e3-2540e8 call 254746 373->374 381 2540d5-2540d7 375->381 382 2540d9-2540e0 375->382 376->374 381->374
                                                                                                                                    APIs
                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 002540B5
                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 002540E3
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Cpp_errorCurrentThreadThrow_std::_
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 350343453-0
                                                                                                                                    • Opcode ID: 82d9f69051636ccbb5099e83b2cb07d2ebbc632bd15a202fa99ef73ad9e3d3c1
                                                                                                                                    • Instruction ID: cef0a19131176d528bf27e43fd6b9d79a16408ab0fd1ec163c03385b2c57c867
                                                                                                                                    • Opcode Fuzzy Hash: 82d9f69051636ccbb5099e83b2cb07d2ebbc632bd15a202fa99ef73ad9e3d3c1
                                                                                                                                    • Instruction Fuzzy Hash: 4DE09239530601DAD7343E15AC02B12F6E49B90B1BF20842EAE9686485E6B148FCDA69
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0026A2CF Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetCPInfo.KERNEL32(E8458D00,?,0026A51E,0026A512,00000000), ref: 0026A301
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Info
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1807457897-0
                                                                                                                                    • Opcode ID: dd18851374263c849752d6d361de9f7fbab9805d7ecb30eb539f93dcd3dbfac4
                                                                                                                                    • Instruction ID: f82e92b72a1bf4fdb5e28380c9e9ae39e6703ef5174dc3ec1b68ab8966d05f4e
                                                                                                                                    • Opcode Fuzzy Hash: dd18851374263c849752d6d361de9f7fbab9805d7ecb30eb539f93dcd3dbfac4
                                                                                                                                    • Instruction Fuzzy Hash: 60516A715282589ACB218F28CC84BEA7BBCEB46304F2401E9E49AE7142C7749DD6DF21
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00265F7A Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 2a481de3515bf28373cfcf87f9550fde37c0a9f0f36b786c5cb44ba4481b4fad
                                                                                                                                    • Instruction ID: a9733cd4ee314e2d07e1e4cbe75ed9658c677e710cb0d63ef4f473a9293d7475
                                                                                                                                    • Opcode Fuzzy Hash: 2a481de3515bf28373cfcf87f9550fde37c0a9f0f36b786c5cb44ba4481b4fad
                                                                                                                                    • Instruction Fuzzy Hash: 2901D837724A329F9B158E6DEC4496A3396FBC6360B244120F915DBA99DF30DCE18790
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00251D1E Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • std::_Throw_Cpp_error.LIBCPMT ref: 00251D73
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Cpp_errorThrow_std::_
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2134207285-0
                                                                                                                                    • Opcode ID: ae8d3e276578ffff6771016ebf4a225cd94da564857fc5d2eb0fa16574749992
                                                                                                                                    • Instruction ID: 1662ed6b6201cf9284fcb4ef489036010a6fa2c1da6d058e5c5e7a0b01f0c08d
                                                                                                                                    • Opcode Fuzzy Hash: ae8d3e276578ffff6771016ebf4a225cd94da564857fc5d2eb0fa16574749992
                                                                                                                                    • Instruction Fuzzy Hash: 68F0247211530A7FC220AE10EC46E27BB6CDB523A6F10001EFA4417141EA32A87CCBB8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Non-executed Functions

                                                                                                                                    Function 0026DAD1 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __floor_pentium4
                                                                                                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                    • API String ID: 4168288129-2761157908
                                                                                                                                    • Opcode ID: 8e4c116a7eb4ee3e1558b981e86b8f2ae6b16fc1d05b6e16707167aef8256b0d
                                                                                                                                    • Instruction ID: b6ee7c388474b5b8b6f086312f594ccb3959f56cfb046adec39ab3a501e85e12
                                                                                                                                    • Opcode Fuzzy Hash: 8e4c116a7eb4ee3e1558b981e86b8f2ae6b16fc1d05b6e16707167aef8256b0d
                                                                                                                                    • Instruction Fuzzy Hash: 25D22675E282298BDF65CE28CC407EAB7B9EB44304F1541EAD44EE7240EB74AED58F41
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0026CF31 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,2000000B,0026D24F,00000002,00000000,?,?,?,0026D24F,?,00000000), ref: 0026CFCA
                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,20001004,0026D24F,00000002,00000000,?,?,?,0026D24F,?,00000000), ref: 0026CFF3
                                                                                                                                    • GetACP.KERNEL32(?,?,0026D24F,?,00000000), ref: 0026D008
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: InfoLocale
                                                                                                                                    • String ID: ACP$OCP
                                                                                                                                    • API String ID: 2299586839-711371036
                                                                                                                                    • Opcode ID: 6e4b8d924c29abd5f7304e0c3a984cf7fb8ce01d6afe6c661fe4cf4bf631967a
                                                                                                                                    • Instruction ID: 1290f5cb0f619cd13ea0d72fa00163f35c1eafefcfb7b518887911832eabb665
                                                                                                                                    • Opcode Fuzzy Hash: 6e4b8d924c29abd5f7304e0c3a984cf7fb8ce01d6afe6c661fe4cf4bf631967a
                                                                                                                                    • Instruction Fuzzy Hash: 2A21D632B20107B6D734AF14D904BA772A7BB54B50B768026E98DD7504F772DDE0C790
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0026D106 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00263600: GetLastError.KERNEL32(?,?,0025DD04,0027D328,0000000C), ref: 00263604
                                                                                                                                      • Part of subcall function 00263600: SetLastError.KERNEL32(00000000), ref: 002636A6
                                                                                                                                    • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0026D212
                                                                                                                                    • IsValidCodePage.KERNEL32(00000000), ref: 0026D25B
                                                                                                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 0026D26A
                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0026D2B2
                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0026D2D1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 415426439-0
                                                                                                                                    • Opcode ID: d5a2d862b5e366c5e591921964bc1db3c9aa1cc93723bc5167b3c1a1dee0722a
                                                                                                                                    • Instruction ID: 7c710bec21f6e30a3588e7476cf41352a183b5d2644511d8f69b472b7a6a04c1
                                                                                                                                    • Opcode Fuzzy Hash: d5a2d862b5e366c5e591921964bc1db3c9aa1cc93723bc5167b3c1a1dee0722a
                                                                                                                                    • Instruction Fuzzy Hash: 4A518371F2020AABDB10EFA4DC85ABA77B8FF49700F144169F915E7151EBB0D9A08B60
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00260160 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 449COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: }&$}&
                                                                                                                                    • API String ID: 0-2963072621
                                                                                                                                    • Opcode ID: cc5fc3ef393b46102073ef610e3e9dbb82813f9c322e73eebb45c748b4ac2cad
                                                                                                                                    • Instruction ID: d6aaba01779d6a1fea9e33e297fe933f49470ab8b318c23ca937b03925975027
                                                                                                                                    • Opcode Fuzzy Hash: cc5fc3ef393b46102073ef610e3e9dbb82813f9c322e73eebb45c748b4ac2cad
                                                                                                                                    • Instruction Fuzzy Hash: 83F14E71E1021A9FDF14CFA8C8D06AEB7B1FF88324F158269E919A7380D730AD559F94
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0026C7A2 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00263600: GetLastError.KERNEL32(?,?,0025DD04,0027D328,0000000C), ref: 00263604
                                                                                                                                      • Part of subcall function 00263600: SetLastError.KERNEL32(00000000), ref: 002636A6
                                                                                                                                    • GetACP.KERNEL32(?,?,?,?,?,?,00261D22,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0026C863
                                                                                                                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00261D22,?,?,?,00000055,?,-00000050,?,?), ref: 0026C88E
                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0026C9F1
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLast$CodeInfoLocalePageValid
                                                                                                                                    • String ID: utf8
                                                                                                                                    • API String ID: 607553120-905460609
                                                                                                                                    • Opcode ID: 5d0f4f6dfa154e253278587831c8125b651128e8611238b22f4b1b92de26e7e7
                                                                                                                                    • Instruction ID: 7ac61055f05a572daa42ff4cc234798232fbff4dc8a1d685f4715a7dca77972a
                                                                                                                                    • Opcode Fuzzy Hash: 5d0f4f6dfa154e253278587831c8125b651128e8611238b22f4b1b92de26e7e7
                                                                                                                                    • Instruction Fuzzy Hash: 9A711771621206AADB25BF74CC46BB673ACEF09700F244429F585D7181FBB4E9E0CB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00264C33 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _strrchr
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3213747228-0
                                                                                                                                    • Opcode ID: c8b3115fbadac6014dafda632bdcae0fab0cd1c18024c0d8385e16eb91cb886f
                                                                                                                                    • Instruction ID: b427a9259a8e80c7ace5775f904646126a089b59c25157f841f32006c8817fab
                                                                                                                                    • Opcode Fuzzy Hash: c8b3115fbadac6014dafda632bdcae0fab0cd1c18024c0d8385e16eb91cb886f
                                                                                                                                    • Instruction Fuzzy Hash: AEB17B32D242469FDB15EF68C881BEEBBE5FF55300F158166E894AB341C2359DA1CBA0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00257093 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0025709F
                                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 0025716B
                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00257184
                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 0025718E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 254469556-0
                                                                                                                                    • Opcode ID: df521bf5aee74bbda2c29827d2d0e70c786dae944c8004b62f73a43ac998da60
                                                                                                                                    • Instruction ID: bde0b176d3348d1145fbb380f400279644e601c184b18548ba4db4d170d6b7d9
                                                                                                                                    • Opcode Fuzzy Hash: df521bf5aee74bbda2c29827d2d0e70c786dae944c8004b62f73a43ac998da60
                                                                                                                                    • Instruction Fuzzy Hash: 7F312C75D55219DBDF20EFA4E8497CDBBB8AF48300F10419AE90DAB250EB709A84CF45
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0026CBB5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00263600: GetLastError.KERNEL32(?,?,0025DD04,0027D328,0000000C), ref: 00263604
                                                                                                                                      • Part of subcall function 00263600: SetLastError.KERNEL32(00000000), ref: 002636A6
                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0026CC09
                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0026CC53
                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0026CD19
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: InfoLocale$ErrorLast
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 661929714-0
                                                                                                                                    • Opcode ID: 7a2f8336b3b17bef7734e980345c714b2adb8f280dd21db4a6eac20a3826d413
                                                                                                                                    • Instruction ID: 1306ed6327d1ff75cb796cc7395d5b8dc4cccd54793a863faf1b472f7e8566ad
                                                                                                                                    • Opcode Fuzzy Hash: 7a2f8336b3b17bef7734e980345c714b2adb8f280dd21db4a6eac20a3826d413
                                                                                                                                    • Instruction Fuzzy Hash: 196184719201179FDB28AF28CD86BBA7BA8FF05300F2041B6E955C6185EB74D9E1CF94
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0025ADD3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0025AECB
                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0025AED5
                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 0025AEE2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3906539128-0
                                                                                                                                    • Opcode ID: f2f095300724e70777cbb84e5e2d99e3235eaaa11b7824543bd397eb710422c7
                                                                                                                                    • Instruction ID: 2fb33c8aa45193f6194fdbbfa1cc6d63f972ae919c80e4c38e8cd6c451c972a4
                                                                                                                                    • Opcode Fuzzy Hash: f2f095300724e70777cbb84e5e2d99e3235eaaa11b7824543bd397eb710422c7
                                                                                                                                    • Instruction Fuzzy Hash: 4E31D4749112299BCB21DF64D88978DBBB8BF48311F5042EAE81CA7250EB709FD58F49
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00264213 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0026420E,?,?,00000008,?,?,00272345,00000000), ref: 00264440
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ExceptionRaise
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3997070919-0
                                                                                                                                    • Opcode ID: 0b22adc9a9c17e9e80ccf69c5a8707553d83f9447c2191d3e82b4fcaca8e5126
                                                                                                                                    • Instruction ID: 7a74b6b2cf5a67f8ca9906708a97d4622a5fe7ddb9acd611e0a4d950c50af939
                                                                                                                                    • Opcode Fuzzy Hash: 0b22adc9a9c17e9e80ccf69c5a8707553d83f9447c2191d3e82b4fcaca8e5126
                                                                                                                                    • Instruction Fuzzy Hash: C9B15E31220609DFD718DF28C486B657BE0FF45364F258698E8D9CF2A1C735E9A2CB40
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00256B7C Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00256B92
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FeaturePresentProcessor
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2325560087-0
                                                                                                                                    • Opcode ID: 94a7d49f349cde4134f80f2485f077a20fce010b10d1f7954007cd2f99e7c699
                                                                                                                                    • Instruction ID: ad46d95f9e30e4ee5fb16548c79efcd6a3f8b9536f66fd1d6d61d13d24c0fca9
                                                                                                                                    • Opcode Fuzzy Hash: 94a7d49f349cde4134f80f2485f077a20fce010b10d1f7954007cd2f99e7c699
                                                                                                                                    • Instruction Fuzzy Hash: 0751B071A226068BDB68CF65E8C93AEB7F0FB44312F24842AC849EB350D3749D58CB54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00269C1F Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 018c72106fa2d0d2ba6754f344609430137466f6c4620b6345ace9038fe727ca
                                                                                                                                    • Instruction ID: 3c0168ab07e2001f07c13e2c83502475eaf62ac5175204943e6b6a085abc7b07
                                                                                                                                    • Opcode Fuzzy Hash: 018c72106fa2d0d2ba6754f344609430137466f6c4620b6345ace9038fe727ca
                                                                                                                                    • Instruction Fuzzy Hash: 3741B2B5814219AEDF20DF69CC89AAABBBCEB49300F1442E9E41DD3201DA359ED48F50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0025CF44 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 0
                                                                                                                                    • API String ID: 0-4108050209
                                                                                                                                    • Opcode ID: 996fd7d5141208f1b8db28b845563de59e8b988a7265e3ff6f6678d28e6d1fae
                                                                                                                                    • Instruction ID: a1e610584a582094d9860f08d251af8a467c6b110bd1772a326bf883c58b5a4f
                                                                                                                                    • Opcode Fuzzy Hash: 996fd7d5141208f1b8db28b845563de59e8b988a7265e3ff6f6678d28e6d1fae
                                                                                                                                    • Instruction Fuzzy Hash: 36C1E0305206068FCB34CF68C48067EBBB2AF45302F244A1ADC56DB692D770ED6ECB59
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0026CE08 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00263600: GetLastError.KERNEL32(?,?,0025DD04,0027D328,0000000C), ref: 00263604
                                                                                                                                      • Part of subcall function 00263600: SetLastError.KERNEL32(00000000), ref: 002636A6
                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0026CE5C
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLast$InfoLocale
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3736152602-0
                                                                                                                                    • Opcode ID: 6cae0339eb3a6820099663f6bcc66baaef786e02fec6ef35f3c11f94eafdc2e4
                                                                                                                                    • Instruction ID: cbfca6d5666f6bbe0ed924ac297adb85896c50b48bc36203343b1a38f8ca03c4
                                                                                                                                    • Opcode Fuzzy Hash: 6cae0339eb3a6820099663f6bcc66baaef786e02fec6ef35f3c11f94eafdc2e4
                                                                                                                                    • Instruction Fuzzy Hash: 63219572625207ABDB28BF25DC46B7A77BCEF45310B20007AFD11D6141EB75EDA08B54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0026CA8F Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00263600: GetLastError.KERNEL32(?,?,0025DD04,0027D328,0000000C), ref: 00263604
                                                                                                                                      • Part of subcall function 00263600: SetLastError.KERNEL32(00000000), ref: 002636A6
                                                                                                                                    • EnumSystemLocalesW.KERNEL32(0026CBB5,00000001,00000000,?,-00000050,?,0026D1E6,00000000,?,?,?,00000055,?), ref: 0026CB01
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2417226690-0
                                                                                                                                    • Opcode ID: e9760e3415e7b1714946d2f8b1776188d05d9e3cccea95d4851ac74caa6bd3f0
                                                                                                                                    • Instruction ID: 470945c3ceafe149e24154e0757cc1291bd20635426dbd3b38e45726e70f9d9d
                                                                                                                                    • Opcode Fuzzy Hash: e9760e3415e7b1714946d2f8b1776188d05d9e3cccea95d4851ac74caa6bd3f0
                                                                                                                                    • Instruction Fuzzy Hash: 02114C372103069FDB18EF78D89257AB791FF84318B24442DE9C687B40D7717992CB40
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0026D037 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00263600: GetLastError.KERNEL32(?,?,0025DD04,0027D328,0000000C), ref: 00263604
                                                                                                                                      • Part of subcall function 00263600: SetLastError.KERNEL32(00000000), ref: 002636A6
                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0026CDD1,00000000,00000000,?), ref: 0026D063
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLast$InfoLocale
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3736152602-0
                                                                                                                                    • Opcode ID: 7d58e6d17ee8d4d67848b303bb6b131240823fd87463248a0892eb680c3ab5b8
                                                                                                                                    • Instruction ID: d1656877da8a135e40c037feadb1f6ad8d82c123ce1ddf768179368de8e06f59
                                                                                                                                    • Opcode Fuzzy Hash: 7d58e6d17ee8d4d67848b303bb6b131240823fd87463248a0892eb680c3ab5b8
                                                                                                                                    • Instruction Fuzzy Hash: 9EF0A932F2011BBBDB285E74CC06BBA7B58EB40754F154424ED05A7180EA74FED2C690
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0026CB2A Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00263600: GetLastError.KERNEL32(?,?,0025DD04,0027D328,0000000C), ref: 00263604
                                                                                                                                      • Part of subcall function 00263600: SetLastError.KERNEL32(00000000), ref: 002636A6
                                                                                                                                    • EnumSystemLocalesW.KERNEL32(0026CE08,00000001,?,?,-00000050,?,0026D1AA,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0026CB74
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2417226690-0
                                                                                                                                    • Opcode ID: 53bb000253c67600d489d52f50acae4afd879df00557a408b1b3f40beba542fe
                                                                                                                                    • Instruction ID: 78a1d7896e1b7134d60cfb8bb35fd816372288fb37173fc7045df552fa4a5433
                                                                                                                                    • Opcode Fuzzy Hash: 53bb000253c67600d489d52f50acae4afd879df00557a408b1b3f40beba542fe
                                                                                                                                    • Instruction Fuzzy Hash: DDF022362143056FCB24AF39D882A7ABB94EB8132CB24842DF9864B680C7719C91CA50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00265CE6 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0025DF0D: EnterCriticalSection.KERNEL32(?,?,002632D8,?,0027D618,00000008,0026349C,?,?,?), ref: 0025DF1C
                                                                                                                                    • EnumSystemLocalesW.KERNEL32(00265CD9,00000001,0027D6D8,0000000C,00266148,00000000), ref: 00265D1E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1272433827-0
                                                                                                                                    • Opcode ID: cf76294a6c72f7ca339d3d6bdd711d0bbe3b7bf37b5216e0de5e44b30830b78a
                                                                                                                                    • Instruction ID: 64a8b2033525eae307467c0ab7650c1fdc3dcbbf71d88b617898ba67cc35d37c
                                                                                                                                    • Opcode Fuzzy Hash: cf76294a6c72f7ca339d3d6bdd711d0bbe3b7bf37b5216e0de5e44b30830b78a
                                                                                                                                    • Instruction Fuzzy Hash: 66F04976A54200DFD700EF98E846B9D77B0FB05721F10852AF815EB2A1DBB54954CF84
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0026CA44 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00263600: GetLastError.KERNEL32(?,?,0025DD04,0027D328,0000000C), ref: 00263604
                                                                                                                                      • Part of subcall function 00263600: SetLastError.KERNEL32(00000000), ref: 002636A6
                                                                                                                                    • EnumSystemLocalesW.KERNEL32(0026C99D,00000001,?,?,?,0026D208,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0026CA7B
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2417226690-0
                                                                                                                                    • Opcode ID: 4a09dca08f0663b2e5b446066442469f4713a1cf4e1d48d2b781133c139a0a1b
                                                                                                                                    • Instruction ID: aa186a60b4bb01ad7b80c27aa744d0f4dc68061596e58c3ee105b0030ee492aa
                                                                                                                                    • Opcode Fuzzy Hash: 4a09dca08f0663b2e5b446066442469f4713a1cf4e1d48d2b781133c139a0a1b
                                                                                                                                    • Instruction Fuzzy Hash: 81F0E53630020A57CB08EF75D84A67ABF94EFC2710B1A8059EA4A8B650C7719D92C7A0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0026624C Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00262888,?,20001004,00000000,00000002,?,?,00261E8A), ref: 00266280
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: InfoLocale
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2299586839-0
                                                                                                                                    • Opcode ID: 6ecc844be3ac6764e6b4066af36477ec8b695093338508e877c4fec67942ac1d
                                                                                                                                    • Instruction ID: 729f343196babdbab710ca3a146eb6d8d55bae63c92086ab1d528b1fcb37fa25
                                                                                                                                    • Opcode Fuzzy Hash: 6ecc844be3ac6764e6b4066af36477ec8b695093338508e877c4fec67942ac1d
                                                                                                                                    • Instruction Fuzzy Hash: B0E04F35910129BBCF123F61EC0CEAE7F25EF44750F044011FD0965261CB7189B1AAD4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 002571EF Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_000071FB,0025675F), ref: 002571F4
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3192549508-0
                                                                                                                                    • Opcode ID: 2288b6c392170990a64a5ede5dee5a61a42335225e5936fcb3584182fe28f2ad
                                                                                                                                    • Instruction ID: e8572b13685bc8a7e5204db1bfd3d6c1e687e7efbc78ee8c687a6edc4a6ae0d9
                                                                                                                                    • Opcode Fuzzy Hash: 2288b6c392170990a64a5ede5dee5a61a42335225e5936fcb3584182fe28f2ad
                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0026D368 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HeapProcess
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 54951025-0
                                                                                                                                    • Opcode ID: 3ff8b9a0518009edd3a000567832c768d7559efa89bfb335461bc6f9d47cba8d
                                                                                                                                    • Instruction ID: e03fb8e4adcb2777babe5d681872cfa5c284a56fb0d5cf776163077dd37a5056
                                                                                                                                    • Opcode Fuzzy Hash: 3ff8b9a0518009edd3a000567832c768d7559efa89bfb335461bc6f9d47cba8d
                                                                                                                                    • Instruction Fuzzy Hash: E4A02230382202CF8380AF3ABF0C30E3AECAA082C0B8080F8A00CC2830EB3080C08F00
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00287555 Relevance: .9, Instructions: 946COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: cc75d264d6df0c974cfefd35eba923a3b78640df4b29e97193cdf58164f43ca1
                                                                                                                                    • Instruction ID: fb3ebf288ac9c4b02f2f80e7d725f9ab67d858e53510094abfdb99ac4191145f
                                                                                                                                    • Opcode Fuzzy Hash: cc75d264d6df0c974cfefd35eba923a3b78640df4b29e97193cdf58164f43ca1
                                                                                                                                    • Instruction Fuzzy Hash: C672336144F3D29FD7235B748C749E27FB4AE6721432E08DBD4C18B0A3E2191A6AD772
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00286DD0 Relevance: .6, Instructions: 555COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: dabb241905c3eb9b0e1454d179015fc64f1cf1698284bc9214990e0cc0263b2c
                                                                                                                                    • Instruction ID: 749903b2cbd6a58004e9553f3ee1f4ab6d2944a631bea3960ab963af41fffcc4
                                                                                                                                    • Opcode Fuzzy Hash: dabb241905c3eb9b0e1454d179015fc64f1cf1698284bc9214990e0cc0263b2c
                                                                                                                                    • Instruction Fuzzy Hash: 2C22F26144F3C28FC7138B749CB56917FB0AE6722431E45DBD8C1CF4A3E2291A5ADB62
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0026C253 Relevance: .3, Instructions: 327COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3471368781-0
                                                                                                                                    • Opcode ID: 2606b65d88e2cf1bf92911d0187a0c7a8f71f517fe91556766bef729f3405af3
                                                                                                                                    • Instruction ID: 1d0d8d513e6254ab0ae37a2a17b99c33dca0ed8b9f8152f8806d4ef196b3ab9f
                                                                                                                                    • Opcode Fuzzy Hash: 2606b65d88e2cf1bf92911d0187a0c7a8f71f517fe91556766bef729f3405af3
                                                                                                                                    • Instruction Fuzzy Hash: 32B1E7756207468BDB34AF24CC92BB7B3A8EF44308F64456DE983C6640EAB5F9D58B10
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00266550 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 23ebd0bd5e6436c6e2895a3075ff04c1db8902bf7fd9e8bc258d8b36fe32f176
                                                                                                                                    • Instruction ID: 0740f571c5bddcefba1886bc75db29b3d2e5725c4d89ac0c9f2f347984bcceab
                                                                                                                                    • Opcode Fuzzy Hash: 23ebd0bd5e6436c6e2895a3075ff04c1db8902bf7fd9e8bc258d8b36fe32f176
                                                                                                                                    • Instruction Fuzzy Hash: CEE08C32A21238EBCB24DB8CC90998AF7FCEB49B00F51009AB502D3510C270DE40CBD0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 002613E3 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 3da4f83a5918d30f6bdc2d3a9b5a9a71a98674656316bf03d7550efdecabfc24
                                                                                                                                    • Instruction ID: 4782fc9b8ba67a585e9b3ec6c0d3d695583964920f8fb8d17f07275d7d8e7d1b
                                                                                                                                    • Opcode Fuzzy Hash: 3da4f83a5918d30f6bdc2d3a9b5a9a71a98674656316bf03d7550efdecabfc24
                                                                                                                                    • Instruction Fuzzy Hash: 37C08CB402098046CE298E348277BA43354B391783F88088CC4430BB82CD1EACE7DA00
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00259CE8 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • type_info::operator==.LIBVCRUNTIME ref: 00259E07
                                                                                                                                    • ___TypeMatch.LIBVCRUNTIME ref: 00259F15
                                                                                                                                    • _UnwindNestedFrames.LIBCMT ref: 0025A067
                                                                                                                                    • CallUnexpected.LIBVCRUNTIME ref: 0025A082
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                                                    • String ID: csm$csm$csm$pS'
                                                                                                                                    • API String ID: 2751267872-2970452684
                                                                                                                                    • Opcode ID: aceb8ceebf84d0950821cb7c46be3ab140f2d93cea65e81aa24656caec29b4fe
                                                                                                                                    • Instruction ID: 10e0765c0d423fd3a1f1534856a68f01f0398a21e4e92dc3e4151a225dc8154f
                                                                                                                                    • Opcode Fuzzy Hash: aceb8ceebf84d0950821cb7c46be3ab140f2d93cea65e81aa24656caec29b4fe
                                                                                                                                    • Instruction Fuzzy Hash: D7B17E7182020ADFCF25DF94C8829AEB7B5FF14312F14415AEC056B256D331DAA9CF9A
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00256531 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00256537
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00256545
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00256556
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00256567
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                    • String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                                                                                                                    • API String ID: 667068680-1247241052
                                                                                                                                    • Opcode ID: c11cf019f0f5b4c489a6055e2e9817d2d179f2ad19385132c4c1786010d21bb1
                                                                                                                                    • Instruction ID: 024905b3c233691ce8af162a5d11eb27f724c6728eb75795212d9539589545d9
                                                                                                                                    • Opcode Fuzzy Hash: c11cf019f0f5b4c489a6055e2e9817d2d179f2ad19385132c4c1786010d21bb1
                                                                                                                                    • Instruction Fuzzy Hash: FEE01236966B70AF8745BFB1BC4DC86BFE4EB0A7113014451FE1DE2261D7F404A88B90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0027120B Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetCPInfo.KERNEL32(015A0550,015A0550,?,7FFFFFFF,?,002714DB,015A0550,015A0550,?,015A0550,?,?,?,?,015A0550,?), ref: 002712B1
                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 0027136C
                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 002713FB
                                                                                                                                    • __freea.LIBCMT ref: 00271446
                                                                                                                                    • __freea.LIBCMT ref: 0027144C
                                                                                                                                    • __freea.LIBCMT ref: 00271482
                                                                                                                                    • __freea.LIBCMT ref: 00271488
                                                                                                                                    • __freea.LIBCMT ref: 00271498
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __freea$__alloca_probe_16$Info
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 127012223-0
                                                                                                                                    • Opcode ID: b0329393e2a70f025c02da293b507dcf792d4f05f1d33e2f7a8ab32c77b56869
                                                                                                                                    • Instruction ID: e2fee8b7530e8aa1256219260acc773170c270da6a060f1c3995d819af214034
                                                                                                                                    • Opcode Fuzzy Hash: b0329393e2a70f025c02da293b507dcf792d4f05f1d33e2f7a8ab32c77b56869
                                                                                                                                    • Instruction Fuzzy Hash: B4711772920216ABDF209EAC8C51BBF77FAAF46710F258059ED1CA7281D774DC708B60
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00259780 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 002597B7
                                                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 002597BF
                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00259848
                                                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00259873
                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 002598C8
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                    • String ID: csm
                                                                                                                                    • API String ID: 1170836740-1018135373
                                                                                                                                    • Opcode ID: 9f8aa6d5b28cdb52d5b9cc2f2693d12d1b3761465df1aeed5f8c91e46384ff8b
                                                                                                                                    • Instruction ID: 9041659a49718b54a71b18d64fcb6afa351644a60fe51087ec26d40a9053b568
                                                                                                                                    • Opcode Fuzzy Hash: 9f8aa6d5b28cdb52d5b9cc2f2693d12d1b3761465df1aeed5f8c91e46384ff8b
                                                                                                                                    • Instruction Fuzzy Hash: A441E530E20219EBCF10DF68C889A9EBBA1BF06325F148195EC185B352D771DDA9CF95
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0026FB4E Relevance: 9.3, APIs: 6, Instructions: 298COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 59964b098898d0eede6d26b0917a78f383a04bf8844a6a38f1fa701d534c53d0
                                                                                                                                    • Instruction ID: ab8c824408da3c8f9f7d9b379b1de011434d0843ff27f3d9a5d2f80cadf94967
                                                                                                                                    • Opcode Fuzzy Hash: 59964b098898d0eede6d26b0917a78f383a04bf8844a6a38f1fa701d534c53d0
                                                                                                                                    • Instruction Fuzzy Hash: BDB11670E2424A9FDF95DF98E984BADBFB1BF49304F144165E8009B2A2C7719DA1CF60
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00254F73 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • __EH_prolog3.LIBCMT ref: 00254F7A
                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00254F84
                                                                                                                                    • int.LIBCPMT ref: 00254F9B
                                                                                                                                      • Part of subcall function 0025260D: std::_Lockit::_Lockit.LIBCPMT ref: 0025261E
                                                                                                                                      • Part of subcall function 0025260D: std::_Lockit::~_Lockit.LIBCPMT ref: 00252638
                                                                                                                                    • codecvt.LIBCPMT ref: 00254FBE
                                                                                                                                    • std::_Facet_Register.LIBCPMT ref: 00254FD5
                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00254FF5
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 712880209-0
                                                                                                                                    • Opcode ID: a2538686f1a710195be5466a6ec3c62b8a57f32e2e58b7665f447d3da3c62e94
                                                                                                                                    • Instruction ID: 8d26cf1f5bdf40d91b50bcb5e5d4003c408ca27fd4194ecda591ced92203a308
                                                                                                                                    • Opcode Fuzzy Hash: a2538686f1a710195be5466a6ec3c62b8a57f32e2e58b7665f447d3da3c62e94
                                                                                                                                    • Instruction Fuzzy Hash: 0411E471920625ABCB14FF64D8497ADB7B4BF44326F500549F805A7291DFB0AE6CCB88
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0025997A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetLastError.KERNEL32(?,?,00259971,00259727,0025723F), ref: 00259988
                                                                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00259996
                                                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002599AF
                                                                                                                                    • SetLastError.KERNEL32(00000000,00259971,00259727,0025723F), ref: 00259A01
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3852720340-0
                                                                                                                                    • Opcode ID: 916d56260601f6ec6c28330179f264d05442dddc6483f4c7a3a726531f872036
                                                                                                                                    • Instruction ID: 8af62908e4842767381e27fa1e008d6315512eab212133c073317327b1ed5deb
                                                                                                                                    • Opcode Fuzzy Hash: 916d56260601f6ec6c28330179f264d05442dddc6483f4c7a3a726531f872036
                                                                                                                                    • Instruction Fuzzy Hash: 6101F53313D2129EA6552A747C8AA262646EB11376320033DFD28412E1FF710CA89589
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00261405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,0010445D,?,?,00000000,00272E68,000000FF,?,00261395,00000002,?,00261369,0025DFC6), ref: 0026143A
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0026144C
                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,00272E68,000000FF,?,00261395,00000002,?,00261369,0025DFC6), ref: 0026146E
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                                                    • Opcode ID: 2b03960f9b44da38010b58cc97237ba5609836f5ffc1168f5ee652b4a7cc3540
                                                                                                                                    • Instruction ID: e1ade94ec3ed6858f4b7d589bf383b5f635e0e9a00be94eba98ae708f7a9e210
                                                                                                                                    • Opcode Fuzzy Hash: 2b03960f9b44da38010b58cc97237ba5609836f5ffc1168f5ee652b4a7cc3540
                                                                                                                                    • Instruction Fuzzy Hash: 6601D632914625EFDB119F50DC0DFAEBBB8FB04B14F044225F815E3290DB749994CB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00254935 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • __EH_prolog3.LIBCMT ref: 0025493C
                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00254947
                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 002549B5
                                                                                                                                      • Part of subcall function 00254A98: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00254AB0
                                                                                                                                    • std::locale::_Setgloballocale.LIBCPMT ref: 00254962
                                                                                                                                    • _Yarn.LIBCPMT ref: 00254978
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1088826258-0
                                                                                                                                    • Opcode ID: 4561da83bb37481e35b6e80f7a6fc0cf94e5678dc6025cdcace643da251ab14c
                                                                                                                                    • Instruction ID: fe7be21b19b2409fdcc0379ff6256964f84571d205e7ee70d5289066fdd488dd
                                                                                                                                    • Opcode Fuzzy Hash: 4561da83bb37481e35b6e80f7a6fc0cf94e5678dc6025cdcace643da251ab14c
                                                                                                                                    • Instruction Fuzzy Hash: 60019A35A115219BC709FB20E89E97DBBA1BF84355B544008EC0A17391CB746AAACB89
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00251603 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 287COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _strcspn
                                                                                                                                    • String ID: lD'$pD'
                                                                                                                                    • API String ID: 3709121408-2095853010
                                                                                                                                    • Opcode ID: 128d7e596a5f6ab6bd6323216d039065c12001d631516cc62ff0de3566f40e45
                                                                                                                                    • Instruction ID: ac755790a6319839336e1a41d38a14e53915f2c5f999c9b46c5a7e9ec34961d4
                                                                                                                                    • Opcode Fuzzy Hash: 128d7e596a5f6ab6bd6323216d039065c12001d631516cc62ff0de3566f40e45
                                                                                                                                    • Instruction Fuzzy Hash: F6B187B1528341AFD720DF28C884A6BBBE9FF89341F44491DF99987211D730E968CF5A
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0025AAC2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,0025AA73,00000000,00000001,002807B4,?,?,?,0025AC16,00000004,InitializeCriticalSectionEx,00275E40,InitializeCriticalSectionEx), ref: 0025AACF
                                                                                                                                    • GetLastError.KERNEL32(?,0025AA73,00000000,00000001,002807B4,?,?,?,0025AC16,00000004,InitializeCriticalSectionEx,00275E40,InitializeCriticalSectionEx,00000000,?,0025A9CD), ref: 0025AAD9
                                                                                                                                    • LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,002598E3), ref: 0025AB01
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                                                    • String ID: api-ms-
                                                                                                                                    • API String ID: 3177248105-2084034818
                                                                                                                                    • Opcode ID: 0a0b886f85dec46accadc9e2761de8525040585b426a5ebc56cb5a2a9c5c562a
                                                                                                                                    • Instruction ID: 2250b160b9c8410daf0912eb2c6307f8da3bca13fa4c56794ff610e51821ca16
                                                                                                                                    • Opcode Fuzzy Hash: 0a0b886f85dec46accadc9e2761de8525040585b426a5ebc56cb5a2a9c5c562a
                                                                                                                                    • Instruction Fuzzy Hash: A7E0BF30690205F7EF202F61FC0BF693B56BB11B59F144121FE0DA84E1E7B199A4D9CA
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00268187 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetConsoleOutputCP.KERNEL32(0010445D,00000000,00000000,00000000), ref: 002681EA
                                                                                                                                      • Part of subcall function 002695C0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00267477,?,00000000,-00000008), ref: 0026966C
                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00268445
                                                                                                                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0026848D
                                                                                                                                    • GetLastError.KERNEL32 ref: 00268530
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2112829910-0
                                                                                                                                    • Opcode ID: a903157b63b7f101251ef832e5ee1b505fe80292015c00659d24595463e08cdc
                                                                                                                                    • Instruction ID: d985148108271db95771093527c4d8c50cf56c54a7022b2a798b48107f580c70
                                                                                                                                    • Opcode Fuzzy Hash: a903157b63b7f101251ef832e5ee1b505fe80292015c00659d24595463e08cdc
                                                                                                                                    • Instruction Fuzzy Hash: 17D17AB5D102499FCF15CFA8D8809ADBBB4FF08314F18422AE816E7351EB30A995CF50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00259A91 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AdjustPointer
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1740715915-0
                                                                                                                                    • Opcode ID: e66d6506ba6d86f83150bb1fc935caf1601d668fd8a138980075cab515d16054
                                                                                                                                    • Instruction ID: d0b51376fe2ab5fac4b95268d7ba6ee6223326639e9aa9bc5eff1252ce5af3d7
                                                                                                                                    • Opcode Fuzzy Hash: e66d6506ba6d86f83150bb1fc935caf1601d668fd8a138980075cab515d16054
                                                                                                                                    • Instruction Fuzzy Hash: F051E372620203DFEB29CF14E881B7A77A5EF54316F144129EC0547691E771ECE9CB98
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 002699DC Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 002695C0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00267477,?,00000000,-00000008), ref: 0026966C
                                                                                                                                    • GetLastError.KERNEL32 ref: 00269A40
                                                                                                                                    • __dosmaperr.LIBCMT ref: 00269A47
                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?), ref: 00269A81
                                                                                                                                    • __dosmaperr.LIBCMT ref: 00269A88
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1913693674-0
                                                                                                                                    • Opcode ID: 50f36749b65b838b7815e0529f4841add5ac48e236f29db852726a1e8434b2c4
                                                                                                                                    • Instruction ID: b22b91ca4e50c401d8ba2a7d0923c30fd1877e080ac4c52d19d7b92b4601f991
                                                                                                                                    • Opcode Fuzzy Hash: 50f36749b65b838b7815e0529f4841add5ac48e236f29db852726a1e8434b2c4
                                                                                                                                    • Instruction Fuzzy Hash: 2A219271634206AFDB20AFA6988096BB7EDFF143647148519F82997251EF30EDF08B91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00260747 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 782fe4c1e6d074222a51dae642af8c8ecb3357716c483e4b27e64bc76b4b7795
                                                                                                                                    • Instruction ID: fb2ba258611279a090695a002d5b28a03737925c5eb5e0ed660f746f2b7f73b1
                                                                                                                                    • Opcode Fuzzy Hash: 782fe4c1e6d074222a51dae642af8c8ecb3357716c483e4b27e64bc76b4b7795
                                                                                                                                    • Instruction Fuzzy Hash: 0B21A171620206AFCB11EF719CC0D2BB7A9EF543647114624F82697151EB70EDF0ABE1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0026A972 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 0026A97A
                                                                                                                                      • Part of subcall function 002695C0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00267477,?,00000000,-00000008), ref: 0026966C
                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0026A9B2
                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0026A9D2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 158306478-0
                                                                                                                                    • Opcode ID: fa48385f9ed00aa09c24aa1701262a8e0e2e8861acc0a5e3f369d7d21564fced
                                                                                                                                    • Instruction ID: fa7cb18543e142bb653164894ed31b00c29ab80067bde5b640b97b94dc3c211c
                                                                                                                                    • Opcode Fuzzy Hash: fa48385f9ed00aa09c24aa1701262a8e0e2e8861acc0a5e3f369d7d21564fced
                                                                                                                                    • Instruction Fuzzy Hash: 8011C4F2522556BEAB11BBB16D8EC6F69ACCE493987510425F406B2101FE60DDE0C9B2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00251E1A Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00251E26
                                                                                                                                    • int.LIBCPMT ref: 00251E39
                                                                                                                                      • Part of subcall function 0025260D: std::_Lockit::_Lockit.LIBCPMT ref: 0025261E
                                                                                                                                      • Part of subcall function 0025260D: std::_Lockit::~_Lockit.LIBCPMT ref: 00252638
                                                                                                                                    • std::_Facet_Register.LIBCPMT ref: 00251E6C
                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00251E82
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 459529453-0
                                                                                                                                    • Opcode ID: 3982b8308bf4ec45b7b170568bcccdac94a157b4fc410c184ab95f943766c559
                                                                                                                                    • Instruction ID: 172c75d0c8c47d9a2466d5cbbbcc9eb281d9f4e3df1e0b9fd232fd5bae826e0e
                                                                                                                                    • Opcode Fuzzy Hash: 3982b8308bf4ec45b7b170568bcccdac94a157b4fc410c184ab95f943766c559
                                                                                                                                    • Instruction Fuzzy Hash: 3301A732920114BBCB14EF64D8069AEB768EF81761B200158FD15572D0EF70AEAACBC8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00251E93 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00251E9F
                                                                                                                                    • int.LIBCPMT ref: 00251EB2
                                                                                                                                      • Part of subcall function 0025260D: std::_Lockit::_Lockit.LIBCPMT ref: 0025261E
                                                                                                                                      • Part of subcall function 0025260D: std::_Lockit::~_Lockit.LIBCPMT ref: 00252638
                                                                                                                                    • std::_Facet_Register.LIBCPMT ref: 00251EE5
                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00251EFB
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 459529453-0
                                                                                                                                    • Opcode ID: 6bcc5ce2420156bd64892c281a72cc7c3a94fa4f8fdbcf62d1729b2a76ff3e64
                                                                                                                                    • Instruction ID: d6fbb5efbfe20694942230b2f904246cfdc73cfec0caf406d4bd2b71504bd8bd
                                                                                                                                    • Opcode Fuzzy Hash: 6bcc5ce2420156bd64892c281a72cc7c3a94fa4f8fdbcf62d1729b2a76ff3e64
                                                                                                                                    • Instruction Fuzzy Hash: 8F012B32920114BBCB14EF64D906DADB768DF41362B200158FC15572D0EF709EA9CB88
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00251F0C Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00251F18
                                                                                                                                    • int.LIBCPMT ref: 00251F2B
                                                                                                                                      • Part of subcall function 0025260D: std::_Lockit::_Lockit.LIBCPMT ref: 0025261E
                                                                                                                                      • Part of subcall function 0025260D: std::_Lockit::~_Lockit.LIBCPMT ref: 00252638
                                                                                                                                    • std::_Facet_Register.LIBCPMT ref: 00251F5E
                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00251F74
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 459529453-0
                                                                                                                                    • Opcode ID: 7d61b0dbd2391eddb191596763573be6950f09b04c05560b0802a31adb7766e1
                                                                                                                                    • Instruction ID: 57fea2951e17c06f453706bb694f577c36c39f4b26a7b0972c28fe0f0bd2ee69
                                                                                                                                    • Opcode Fuzzy Hash: 7d61b0dbd2391eddb191596763573be6950f09b04c05560b0802a31adb7766e1
                                                                                                                                    • Instruction Fuzzy Hash: 6D01A732924114BBCB14BF64D906AADB76CDF45365B200158FC15976D0EF70AE6D8BC8
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00271040 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,0026FF0B,00000000,00000001,00000000,00000000,?,00268584,00000000,00000000,00000000), ref: 00271057
                                                                                                                                    • GetLastError.KERNEL32(?,0026FF0B,00000000,00000001,00000000,00000000,?,00268584,00000000,00000000,00000000,00000000,00000000,?,00268B0B,00000000), ref: 00271063
                                                                                                                                      • Part of subcall function 00271029: CloseHandle.KERNEL32(FFFFFFFE,00271073,?,0026FF0B,00000000,00000001,00000000,00000000,?,00268584,00000000,00000000,00000000,00000000,00000000), ref: 00271039
                                                                                                                                    • ___initconout.LIBCMT ref: 00271073
                                                                                                                                      • Part of subcall function 00270FEB: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0027101A,0026FEF8,00000000,?,00268584,00000000,00000000,00000000,00000000), ref: 00270FFE
                                                                                                                                    • WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,0026FF0B,00000000,00000001,00000000,00000000,?,00268584,00000000,00000000,00000000,00000000), ref: 00271088
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2744216297-0
                                                                                                                                    • Opcode ID: 8d6d1eadf669387d86fc50026a34f82f4cfc9f06944e6a3075e544553f9477e5
                                                                                                                                    • Instruction ID: 789e27bb1fc19bf643db052f72363fb6108970fe7a5cef5ca5f8818b7147f37c
                                                                                                                                    • Opcode Fuzzy Hash: 8d6d1eadf669387d86fc50026a34f82f4cfc9f06944e6a3075e544553f9477e5
                                                                                                                                    • Instruction Fuzzy Hash: F8F01C36410155BBCF622FA9ED09A9E3F6AFF083A0B048020FE0DC5120D73288B0DB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0025A08D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EncodePointer.KERNEL32(00000000,?), ref: 0025A0B2
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: EncodePointer
                                                                                                                                    • String ID: MOC$RCC
                                                                                                                                    • API String ID: 2118026453-2084237596
                                                                                                                                    • Opcode ID: 6e2e91bfb63fb7ba55ee4818ba58256666119993e0ddddabacb4025bdd0131ba
                                                                                                                                    • Instruction ID: 3436b97e1f2b0a9893086e2c8b5af337efc248bdbe587d4b5cab3e3a4c604c3b
                                                                                                                                    • Opcode Fuzzy Hash: 6e2e91bfb63fb7ba55ee4818ba58256666119993e0ddddabacb4025bdd0131ba
                                                                                                                                    • Instruction Fuzzy Hash: D641787191020AAFCF15CF98CC82AEEBBB5BF48301F148159FE09B7251D33599A4CB96
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 0025208F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00252096
                                                                                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 002520CE
                                                                                                                                      • Part of subcall function 00254A33: _Yarn.LIBCPMT ref: 00254A52
                                                                                                                                      • Part of subcall function 00254A33: _Yarn.LIBCPMT ref: 00254A76
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2014181438.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2014166330.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014201440.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014216057.00000000002C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014281473.00000000002CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2014362522.00000000002CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_250000_file.jbxd
                                                                                                                                    Yara matches
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                                                                    • String ID: bad locale name
                                                                                                                                    • API String ID: 1908188788-1405518554
                                                                                                                                    • Opcode ID: c2af4cdee9ebaa289a4fcd04318bdcc7c41c6a14b755de739760395be3caa524
                                                                                                                                    • Instruction ID: f50d9eb7578315a2fbcb8b9d47f4ad388e179b33ab75e00605e50794c9b3d13d
                                                                                                                                    • Opcode Fuzzy Hash: c2af4cdee9ebaa289a4fcd04318bdcc7c41c6a14b755de739760395be3caa524
                                                                                                                                    • Instruction Fuzzy Hash: 7AF01D71556B409E8330AF6A9481443FBE4BE293213908E6FE4DEC3A51D730A458CF6D
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Execution Graph

                                                                                                                                    Execution Coverage:7.4%
                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                    Signature Coverage:0%
                                                                                                                                    Total number of Nodes:111
                                                                                                                                    Total number of Limit Nodes:7
                                                                                                                                    execution_graph 55013 2801cf0 55014 2801cf2 CreateWindowExW 55013->55014 55016 2801e14 55014->55016 55016->55016 54948 bdd0b8 54949 bdd0fe GetCurrentProcess 54948->54949 54951 bdd149 54949->54951 54952 bdd150 GetCurrentThread 54949->54952 54951->54952 54953 bdd18d GetCurrentProcess 54952->54953 54954 bdd186 54952->54954 54955 bdd1c3 54953->54955 54954->54953 54956 bdd1eb GetCurrentThreadId 54955->54956 54957 bdd21c 54956->54957 54958 bdad38 54962 bdae2c 54958->54962 54967 bdae30 54958->54967 54959 bdad47 54963 bdae41 54962->54963 54964 bdae5c 54962->54964 54963->54964 54972 bdb0c8 54963->54972 54976 bdb0c5 54963->54976 54964->54959 54968 bdae41 54967->54968 54969 bdae5c 54967->54969 54968->54969 54970 bdb0c8 LoadLibraryExW 54968->54970 54971 bdb0c5 LoadLibraryExW 54968->54971 54969->54959 54970->54969 54971->54969 54973 bdb0dc 54972->54973 54975 bdb101 54973->54975 54980 bda870 54973->54980 54975->54964 54977 bdb0dc 54976->54977 54978 bda870 LoadLibraryExW 54977->54978 54979 bdb101 54977->54979 54978->54979 54979->54964 54981 bdb2a8 LoadLibraryExW 54980->54981 54983 bdb321 54981->54983 54983->54975 54984 bd4668 54985 bd4684 54984->54985 54986 bd4696 54985->54986 54988 bd47ab 54985->54988 54989 bd47c5 54988->54989 54993 bd48b0 54989->54993 54997 bd48ad 54989->54997 54994 bd48d7 54993->54994 54996 bd49b4 54994->54996 55001 bd4248 54994->55001 54999 bd48d7 54997->54999 54998 bd49b4 54999->54998 55000 bd4248 CreateActCtxA 54999->55000 55000->54998 55002 bd5940 CreateActCtxA 55001->55002 55004 bd5a03 55002->55004 55017 a9d01c 55018 a9d034 55017->55018 55019 a9d08e 55018->55019 55024 2801ea3 55018->55024 55028 2801ea8 55018->55028 55032 2802c14 55018->55032 55041 2800ad4 55018->55041 55025 2801ece 55024->55025 55026 2800ad4 CallWindowProcW 55025->55026 55027 2801eef 55026->55027 55027->55019 55029 2801ece 55028->55029 55030 2800ad4 CallWindowProcW 55029->55030 55031 2801eef 55030->55031 55031->55019 55033 2802c18 55032->55033 55034 2802c79 55033->55034 55036 2802c69 55033->55036 55066 2800bfc 55034->55066 55050 2802d9c 55036->55050 55055 2802e6c 55036->55055 55061 2802da0 55036->55061 55037 2802c77 55042 2800adf 55041->55042 55043 2802c79 55042->55043 55045 2802c69 55042->55045 55044 2800bfc CallWindowProcW 55043->55044 55046 2802c77 55044->55046 55047 2802da0 CallWindowProcW 55045->55047 55048 2802e6c CallWindowProcW 55045->55048 55049 2802d9c CallWindowProcW 55045->55049 55047->55046 55048->55046 55049->55046 55051 2802da0 55050->55051 55070 2802e54 55051->55070 55074 2802e58 55051->55074 55052 2802e40 55052->55037 55056 2802e2a 55055->55056 55057 2802e7a 55055->55057 55059 2802e54 CallWindowProcW 55056->55059 55060 2802e58 CallWindowProcW 55056->55060 55058 2802e40 55058->55037 55059->55058 55060->55058 55062 2802da2 55061->55062 55064 2802e54 CallWindowProcW 55062->55064 55065 2802e58 CallWindowProcW 55062->55065 55063 2802e40 55063->55037 55064->55063 55065->55063 55067 2800c07 55066->55067 55068 2804309 55067->55068 55069 280435a CallWindowProcW 55067->55069 55068->55037 55069->55068 55071 2802e58 55070->55071 55072 2802e69 55071->55072 55078 28042a0 55071->55078 55072->55052 55075 2802e5a 55074->55075 55076 2802e69 55075->55076 55077 28042a0 CallWindowProcW 55075->55077 55076->55052 55077->55076 55079 2800bfc CallWindowProcW 55078->55079 55080 28042aa 55079->55080 55080->55072 55009 68ca3a0 55010 68ca3e8 LoadLibraryW 55009->55010 55011 68ca3e2 55009->55011 55012 68ca415 55010->55012 55011->55010 55005 bdb020 55006 bdb068 GetModuleHandleW 55005->55006 55007 bdb062 55005->55007 55008 bdb095 55006->55008 55007->55006 55081 bdd300 55082 bdd302 DuplicateHandle 55081->55082 55083 bdd396 55082->55083

                                                                                                                                    Executed Functions

                                                                                                                                    Function 061A3F50 Relevance: 3.0, Strings: 2, Instructions: 520COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1044 61a3f50-61a3f84 1047 61a3f92-61a3fa5 1044->1047 1048 61a3f86-61a3f8f 1044->1048 1049 61a3fab-61a3fae 1047->1049 1050 61a4215-61a4219 1047->1050 1048->1047 1054 61a3fbd-61a3fc9 1049->1054 1055 61a3fb0-61a3fb5 1049->1055 1052 61a421b-61a422b 1050->1052 1053 61a422e-61a4238 1050->1053 1052->1053 1056 61a3fcf-61a3fe1 1054->1056 1057 61a4253-61a4299 1054->1057 1055->1054 1061 61a414d-61a415b 1056->1061 1062 61a3fe7-61a403a 1056->1062 1064 61a429b-61a42a5 1057->1064 1065 61a42a8-61a42d0 1057->1065 1068 61a41e0-61a41e2 1061->1068 1069 61a4161-61a416f 1061->1069 1093 61a404a 1062->1093 1094 61a403c-61a4048 call 61a3c88 1062->1094 1064->1065 1088 61a42d6-61a42ef 1065->1088 1089 61a4425-61a4443 1065->1089 1075 61a41f0-61a41fc 1068->1075 1076 61a41e4-61a41ea 1068->1076 1073 61a417e-61a418a 1069->1073 1074 61a4171-61a4176 1069->1074 1073->1057 1079 61a4190-61a41bf 1073->1079 1074->1073 1083 61a41fe-61a420f 1075->1083 1077 61a41ee 1076->1077 1078 61a41ec 1076->1078 1077->1075 1078->1075 1096 61a41d0-61a41de 1079->1096 1097 61a41c1-61a41ce 1079->1097 1083->1049 1083->1050 1108 61a4406-61a441f 1088->1108 1109 61a42f5-61a430b 1088->1109 1106 61a44ae-61a44b8 1089->1106 1107 61a4445-61a4467 1089->1107 1098 61a404c-61a405c 1093->1098 1094->1098 1096->1050 1097->1096 1110 61a405e-61a4075 1098->1110 1111 61a4077-61a4079 1098->1111 1129 61a44b9-61a450a 1107->1129 1130 61a4469-61a4485 1107->1130 1108->1088 1108->1089 1109->1108 1124 61a4311-61a435f 1109->1124 1110->1111 1114 61a407b-61a4089 1111->1114 1115 61a40c2-61a40c4 1111->1115 1114->1115 1128 61a408b-61a409d 1114->1128 1117 61a40d2-61a40e2 1115->1117 1118 61a40c6-61a40d0 1115->1118 1132 61a410d-61a4110 1117->1132 1133 61a40e4-61a40f2 1117->1133 1118->1117 1131 61a411b-61a4127 1118->1131 1170 61a4389-61a43ad 1124->1170 1171 61a4361-61a4387 1124->1171 1142 61a409f-61a40a1 1128->1142 1143 61a40a3-61a40a7 1128->1143 1162 61a452a-61a4568 1129->1162 1163 61a450c-61a4528 1129->1163 1139 61a44a9-61a44ac 1130->1139 1131->1083 1144 61a412d-61a4148 1131->1144 1192 61a4113 call 61a48b8 1132->1192 1193 61a4113 call 61a48a8 1132->1193 1148 61a40f4-61a4103 1133->1148 1149 61a4105-61a4108 1133->1149 1139->1106 1145 61a4493-61a4496 1139->1145 1141 61a4119 1141->1131 1147 61a40ad-61a40bc 1142->1147 1143->1147 1144->1050 1145->1129 1151 61a4498-61a44a8 1145->1151 1147->1115 1157 61a4239-61a424c 1147->1157 1148->1131 1149->1050 1151->1139 1157->1057 1163->1162 1182 61a43df-61a43f8 1170->1182 1183 61a43af-61a43c6 1170->1183 1171->1170 1186 61a43fa 1182->1186 1187 61a4403 1182->1187 1189 61a43c8-61a43cb 1183->1189 1190 61a43d2-61a43dd 1183->1190 1186->1187 1187->1108 1189->1190 1190->1182 1190->1183 1192->1141 1193->1141
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: $]q$k *p^
                                                                                                                                    • API String ID: 0-2367203351
                                                                                                                                    • Opcode ID: 3cda7e2a6831abc587caadd367a20969835df01db9f719d97b439a6f90cf040e
                                                                                                                                    • Instruction ID: 447f54a8c5f86555a705c072c721f79d2b1e321a8816f87179518eac54903f49
                                                                                                                                    • Opcode Fuzzy Hash: 3cda7e2a6831abc587caadd367a20969835df01db9f719d97b439a6f90cf040e
                                                                                                                                    • Instruction Fuzzy Hash: 59124F38B002158FCB54DF78C994AAEBBF6BF88700B158569E406EB365DB70EC41CB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A67D8 Relevance: .4, Instructions: 412COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 804ea3a7580cb43150c392531e2cc6a5c949f4a6814a7601d82afa6ccca5276d
                                                                                                                                    • Instruction ID: 0bfb338b963bdbbe45c8d44de09be4f6e864a83470ed4ed014515da46dadd882
                                                                                                                                    • Opcode Fuzzy Hash: 804ea3a7580cb43150c392531e2cc6a5c949f4a6814a7601d82afa6ccca5276d
                                                                                                                                    • Instruction Fuzzy Hash: 95F1AF35A003099FCB55DFA8D980B9EBBF6EF88300F148569E509DB2A5DB34ED45CB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AA3D8 Relevance: .3, Instructions: 297COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 4d4a84f9e5ea1c4f78f8288d3785d650a4609e2f9a8aae5fa93c7e7679fa7787
                                                                                                                                    • Instruction ID: a705bb36b3cd1694290392386deb3c6b85a0c1558b2997cc5061114f6e088939
                                                                                                                                    • Opcode Fuzzy Hash: 4d4a84f9e5ea1c4f78f8288d3785d650a4609e2f9a8aae5fa93c7e7679fa7787
                                                                                                                                    • Instruction Fuzzy Hash: C6D1E874D01318CFCB58EFB4E9486ADBBB2FF8A302F1085A9D54AAB254DB315985CF11
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06180D80 Relevance: 20.6, Strings: 16, Instructions: 624COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 295 6180d80-6180dcb 300 6180efd-6180f10 295->300 301 6180dd1-6180dd3 295->301 304 6181006-6181011 300->304 305 6180f16-6180f25 300->305 302 6180dd6-6180de5 301->302 307 6180deb-6180e1d 302->307 308 6180e9d-6180ea1 302->308 309 6181019-6181022 304->309 314 6180f2b-6180f51 305->314 315 6180fd1-6180fd5 305->315 345 6180e1f-6180e24 307->345 346 6180e26-6180e2d 307->346 311 6180eb0 308->311 312 6180ea3-6180eae 308->312 313 6180eb5-6180eb8 311->313 312->313 313->309 318 6180ebe-6180ec2 313->318 343 6180f5a-6180f61 314->343 344 6180f53-6180f58 314->344 319 6180fe4 315->319 320 6180fd7-6180fe2 315->320 322 6180ed1 318->322 323 6180ec4-6180ecf 318->323 321 6180fe6-6180fe8 319->321 320->321 327 6181039-61810b5 321->327 328 6180fea-6180ff4 321->328 329 6180ed3-6180ed5 322->329 323->329 377 6181189-618119c 327->377 378 61810bb-61810bd 327->378 337 6180ff7-6181000 328->337 333 6180edb-6180ee5 329->333 334 6181025-6181032 329->334 347 6180ee8-6180ef2 333->347 334->327 337->304 337->305 350 6180f63-6180f84 343->350 351 6180f86-6180faa 343->351 348 6180fc5-6180fcf 344->348 349 6180e91-6180e9b 345->349 352 6180e2f-6180e50 346->352 353 6180e52-6180e76 346->353 347->302 354 6180ef8 347->354 348->337 349->347 350->348 367 6180fac-6180fb2 351->367 368 6180fc2 351->368 352->349 369 6180e78-6180e7e 353->369 370 6180e8e 353->370 354->309 372 6180fb4 367->372 373 6180fb6-6180fb8 367->373 368->348 374 6180e80 369->374 375 6180e82-6180e84 369->375 370->349 372->368 373->368 374->370 375->370 381 61811a2-61811b1 377->381 382 6181234-618123f 377->382 379 61810c0-61810cf 378->379 384 6181129-618112d 379->384 385 61810d1-61810fe 379->385 392 61811ff-6181203 381->392 393 61811b3-61811dc 381->393 387 6181247-6181250 382->387 388 618113c 384->388 389 618112f-618113a 384->389 407 6181104-6181106 385->407 391 6181141-6181144 388->391 389->391 391->387 397 618114a-618114e 391->397 395 6181212 392->395 396 6181205-6181210 392->396 416 61811de-61811e4 393->416 417 61811f4-61811fd 393->417 401 6181214-6181216 395->401 396->401 399 618115d 397->399 400 6181150-618115b 397->400 406 618115f-6181161 399->406 400->406 404 6181218-6181222 401->404 405 6181267-6181284 401->405 421 6181225-618122e 404->421 429 6181298-61812af 405->429 430 6181286-6181294 405->430 410 6181253-6181260 406->410 411 6181167-6181171 406->411 413 6181108-618110e 407->413 414 618111e-6181127 407->414 410->405 428 6181174-618117e 411->428 419 6181110 413->419 420 6181112-6181114 413->420 414->428 422 61811e8-61811ea 416->422 423 61811e6 416->423 417->421 419->414 420->414 421->381 421->382 422->417 423->417 428->379 431 6181184 428->431 434 61812c7-61812e9 429->434 436 61812b1-61812b7 429->436 432 61812c4-61812c6 430->432 433 6181296-6181297 430->433 431->387 432->434 433->429 441 61812ec-61812f0 434->441 438 61812b9 436->438 439 61812bb-61812bd 436->439 438->434 439->432 442 61812f9-61812fe 441->442 443 61812f2-61812f7 441->443 444 6181304-6181307 442->444 443->444 445 61814f8-6181500 444->445 446 618130d-6181322 444->446 446->441 448 6181324 446->448 449 6181498-61814b9 448->449 450 618132b-6181350 448->450 451 61813e0-6181405 448->451 457 61814bf-61814f3 449->457 463 6181352-6181354 450->463 464 6181356-618135a 450->464 461 618140b-618140f 451->461 462 6181407-6181409 451->462 457->441 467 6181430-6181453 461->467 468 6181411-618142e 461->468 466 618146d-6181493 462->466 469 61813b8-61813db 463->469 470 618137b-618139e 464->470 471 618135c-6181379 464->471 466->441 487 618146b 467->487 488 6181455-618145b 467->488 468->466 469->441 485 61813a0-61813a6 470->485 486 61813b6 470->486 471->469 491 61813a8 485->491 492 61813aa-61813ac 485->492 486->469 487->466 489 618145d 488->489 490 618145f-6181461 488->490 489->487 490->487 491->486 492->486
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211971092.0000000006180000.00000040.00000800.00020000.00000000.sdmp, Offset: 06180000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_6180000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                                                                                    • API String ID: 0-2551331179
                                                                                                                                    • Opcode ID: 83b1c065756f4590c2e6c718a0ad694c434171ca6a1f28f4715066da9e1589b9
                                                                                                                                    • Instruction ID: 38be3a816b63583c28067ba2a5c4a5f013028e682732d1e0776fcb49f9e9b5fe
                                                                                                                                    • Opcode Fuzzy Hash: 83b1c065756f4590c2e6c718a0ad694c434171ca6a1f28f4715066da9e1589b9
                                                                                                                                    • Instruction Fuzzy Hash: 0322B434B042059FDB49AB69CD54A6EBBF6BF89700B158459E916CB3A2CF34DC02CF91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06181582 Relevance: 7.8, Strings: 6, Instructions: 334COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 872 6181582-6181584 873 618158e 872->873 874 6181598-61815af 873->874 875 61815b5-61815b7 874->875 876 61815b9-61815bf 875->876 877 61815cf-61815f1 875->877 878 61815c1 876->878 879 61815c3-61815c5 876->879 882 6181638-618163f 877->882 878->877 879->877 883 6181571-6181580 882->883 884 6181645-6181747 882->884 883->872 887 61815f3-61815f7 883->887 888 61815f9-6181604 887->888 889 6181606 887->889 891 618160b-618160e 888->891 889->891 891->884 894 6181610-6181614 891->894 895 6181623 894->895 896 6181616-6181621 894->896 897 6181625-6181627 895->897 896->897 898 618174a-618177c 897->898 899 618162d-6181637 897->899 906 618177e-6181794 898->906 907 6181795-61817a7 898->907 899->882 906->907 909 61817a9-61817af 907->909 910 61817bf-61817e1 907->910 911 61817b1 909->911 912 61817b3-61817b5 909->912 915 61817e4-61817e8 910->915 911->910 912->910 916 61817ea-61817ef 915->916 917 61817f1-61817f6 915->917 918 61817fc-61817ff 916->918 917->918 919 6181abf-6181ac7 918->919 920 6181805-618181a 918->920 920->915 922 618181c 920->922 923 61818d8-618198b 922->923 924 6181990-61819bd 922->924 925 6181823-61818d3 922->925 926 6181a07-6181a2c 922->926 923->915 945 61819c3-61819cd 924->945 946 6181b36-6181b73 924->946 925->915 941 6181a2e-6181a30 926->941 942 6181a32-6181a36 926->942 947 6181a94-6181aba 941->947 948 6181a38-6181a55 942->948 949 6181a57-6181a7a 942->949 951 6181b00-6181b2f 945->951 952 61819d3-6181a02 945->952 947->915 948->947 969 6181a7c-6181a82 949->969 970 6181a92 949->970 951->946 952->915 972 6181a84 969->972 973 6181a86-6181a88 969->973 970->947 972->970 973->970
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211971092.0000000006180000.00000040.00000800.00020000.00000000.sdmp, Offset: 06180000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_6180000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                                                                                                    • API String ID: 0-3723351465
                                                                                                                                    • Opcode ID: ac65d7068b975dae07b77bfaa6594f8664ed27eb1f2d9b586ee8c54664265da2
                                                                                                                                    • Instruction ID: 0775e0af62b6a467884c29a4c6070c387104d029ddf73cf453ad03b33a6c9c29
                                                                                                                                    • Opcode Fuzzy Hash: ac65d7068b975dae07b77bfaa6594f8664ed27eb1f2d9b586ee8c54664265da2
                                                                                                                                    • Instruction Fuzzy Hash: B1C1E534700246AFDB58AB64C895A2E7BE6FF85700F11485DE9029B3A2DF75DC06CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00BDD0A8 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 977 bdd0a8-bdd147 GetCurrentProcess 982 bdd149-bdd14f 977->982 983 bdd150-bdd184 GetCurrentThread 977->983 982->983 984 bdd18d-bdd1c1 GetCurrentProcess 983->984 985 bdd186-bdd18c 983->985 986 bdd1ca-bdd1e5 call bdd289 984->986 987 bdd1c3-bdd1c9 984->987 985->984 991 bdd1eb-bdd21a GetCurrentThreadId 986->991 987->986 992 bdd21c-bdd222 991->992 993 bdd223-bdd285 991->993 992->993
                                                                                                                                    APIs
                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 00BDD136
                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 00BDD173
                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 00BDD1B0
                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00BDD209
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2205505020.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_bd0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Current$ProcessThread
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2063062207-0
                                                                                                                                    • Opcode ID: 1968b3d547cc37055267b48c07d5e57e0b39aa609fdf18c3a6c34b58ff652109
                                                                                                                                    • Instruction ID: 6f15958d2cbf83bfb770bbad20a71dce3457967445bc703d1be8e85e467ca713
                                                                                                                                    • Opcode Fuzzy Hash: 1968b3d547cc37055267b48c07d5e57e0b39aa609fdf18c3a6c34b58ff652109
                                                                                                                                    • Instruction Fuzzy Hash: 925168B0900349CFDB14DFAAD548BAEFBF1EF89304F24849AE449A7360D7749948CB65
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00BDD0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1000 bdd0b8-bdd147 GetCurrentProcess 1004 bdd149-bdd14f 1000->1004 1005 bdd150-bdd184 GetCurrentThread 1000->1005 1004->1005 1006 bdd18d-bdd1c1 GetCurrentProcess 1005->1006 1007 bdd186-bdd18c 1005->1007 1008 bdd1ca-bdd1e5 call bdd289 1006->1008 1009 bdd1c3-bdd1c9 1006->1009 1007->1006 1013 bdd1eb-bdd21a GetCurrentThreadId 1008->1013 1009->1008 1014 bdd21c-bdd222 1013->1014 1015 bdd223-bdd285 1013->1015 1014->1015
                                                                                                                                    APIs
                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 00BDD136
                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 00BDD173
                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 00BDD1B0
                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00BDD209
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2205505020.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_bd0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Current$ProcessThread
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2063062207-0
                                                                                                                                    • Opcode ID: 10305b4bdbdee176e860fbd95bc36121854e67c3325796c5e79c17491062a3b4
                                                                                                                                    • Instruction ID: d6c15d966529d23c346095c304725cfc63f48b8d7fde84abf6e458c39f10d1d4
                                                                                                                                    • Opcode Fuzzy Hash: 10305b4bdbdee176e860fbd95bc36121854e67c3325796c5e79c17491062a3b4
                                                                                                                                    • Instruction Fuzzy Hash: F55155B0900309CFDB14DFAAD548BAEBBF1EF48300F248499E409A7360D7349988CB65
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A48B8 Relevance: 1.8, Strings: 1, Instructions: 591COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1307 61a48b8-61a4900 call 61a4650 1312 61a4902-61a4904 1307->1312 1313 61a4906-61a490a 1307->1313 1314 61a4910-61a4933 1312->1314 1313->1314 1319 61a493f-61a494b 1314->1319 1320 61a4935-61a493a 1314->1320 1325 61a497e-61a498a 1319->1325 1326 61a494d-61a4979 call 61a3f50 1319->1326 1321 61a4a1b-61a4a21 1320->1321 1323 61a4a23 1321->1323 1324 61a4a27-61a4a47 1321->1324 1323->1324 1337 61a4a49-61a4a4e 1324->1337 1338 61a4a53-61a4a68 1324->1338 1332 61a498c-61a4991 1325->1332 1333 61a4996-61a49aa 1325->1333 1326->1321 1332->1321 1342 61a49ac-61a49ce 1333->1342 1343 61a4a16 1333->1343 1340 61a4af0-61a4afe 1337->1340 1351 61a4aeb 1338->1351 1352 61a4a6e-61a4a7e 1338->1352 1347 61a4b00-61a4b04 1340->1347 1348 61a4b16-61a4b22 1340->1348 1364 61a49d0-61a49f2 1342->1364 1365 61a49f4-61a4a0d 1342->1365 1343->1321 1353 61a4b0c-61a4b0e 1347->1353 1356 61a4b28-61a4b44 1348->1356 1357 61a4c06-61a4c3a 1348->1357 1351->1340 1360 61a4a92-61a4a97 1352->1360 1361 61a4a80-61a4a90 1352->1361 1353->1348 1372 61a4bf2-61a4c00 1356->1372 1380 61a4c3c-61a4c50 1357->1380 1381 61a4c52-61a4c54 1357->1381 1360->1340 1361->1360 1371 61a4a99-61a4aa9 1361->1371 1364->1343 1364->1365 1365->1343 1382 61a4a0f-61a4a14 1365->1382 1378 61a4aab-61a4ab0 1371->1378 1379 61a4ab2-61a4ac2 1371->1379 1372->1357 1373 61a4b49-61a4b52 1372->1373 1383 61a4b58-61a4b6b 1373->1383 1384 61a4e11-61a4e38 1373->1384 1378->1340 1394 61a4acb-61a4adb 1379->1394 1395 61a4ac4-61a4ac9 1379->1395 1380->1381 1386 61a4c56-61a4c68 1381->1386 1387 61a4c84-61a4cc4 1381->1387 1382->1321 1383->1384 1388 61a4b71-61a4b83 1383->1388 1396 61a4e3e-61a4e40 1384->1396 1397 61a4ecc-61a4f08 1384->1397 1386->1387 1399 61a4c6a-61a4c7c 1386->1399 1474 61a4cc6 call 61a54f8 1387->1474 1475 61a4cc6 call 61a5508 1387->1475 1400 61a4bef 1388->1400 1401 61a4b85-61a4b91 1388->1401 1410 61a4add-61a4ae2 1394->1410 1411 61a4ae4-61a4ae9 1394->1411 1395->1340 1396->1397 1403 61a4e46-61a4e48 1396->1403 1435 61a4f0a-61a4f1d 1397->1435 1436 61a4f73-61a4f94 1397->1436 1399->1387 1400->1372 1401->1384 1405 61a4b97-61a4bec 1401->1405 1403->1397 1408 61a4e4e-61a4e52 1403->1408 1405->1400 1408->1397 1412 61a4e54-61a4e58 1408->1412 1410->1340 1411->1340 1416 61a4e6a-61a4eac 1412->1416 1417 61a4e5a-61a4e68 1412->1417 1415 61a4ccc-61a4ce0 1429 61a4ce2-61a4cf9 1415->1429 1430 61a4d27-61a4d74 1415->1430 1423 61a4eb4-61a4ec9 1416->1423 1417->1423 1445 61a4cfb-61a4d05 1429->1445 1446 61a4d07-61a4d1f call 61a3f50 1429->1446 1460 61a4dc8-61a4ddf 1430->1460 1461 61a4d76-61a4d8f 1430->1461 1439 61a4f1f-61a4f2c 1435->1439 1440 61a4f2d-61a4f37 1435->1440 1451 61a4f39-61a4f44 1440->1451 1452 61a4f46-61a4f4c 1440->1452 1445->1446 1446->1430 1459 61a4f4e-61a4f71 1451->1459 1452->1459 1459->1436 1466 61a4de1-61a4dfc 1460->1466 1467 61a4e05-61a4e0e 1460->1467 1468 61a4d99-61a4dc5 1461->1468 1469 61a4d91 1461->1469 1466->1467 1468->1460 1469->1468 1474->1415 1475->1415
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: + *p^
                                                                                                                                    • API String ID: 0-3484328030
                                                                                                                                    • Opcode ID: a1191e0fb0782f247944d5861113dd5746e81b3e0144068e42b9c9cbdae7a85f
                                                                                                                                    • Instruction ID: 4f1f510a6111bd1d7c780fc1c11ef6be3278bdb22610aa7940a6036b48c19277
                                                                                                                                    • Opcode Fuzzy Hash: a1191e0fb0782f247944d5861113dd5746e81b3e0144068e42b9c9cbdae7a85f
                                                                                                                                    • Instruction Fuzzy Hash: B3323A797006018FCB58DF39D588A6ABBF6FF89300B1584A9E506CB366DB74EC45CB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 02801CE4 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1626 2801ce4-2801cee 1628 2801cf0-2801cf1 1626->1628 1629 2801cf2-2801d56 1626->1629 1628->1629 1630 2801d61-2801d68 1629->1630 1631 2801d58-2801d5e 1629->1631 1632 2801d73-2801dab 1630->1632 1633 2801d6a-2801d70 1630->1633 1631->1630 1634 2801db3-2801e12 CreateWindowExW 1632->1634 1633->1632 1635 2801e14-2801e1a 1634->1635 1636 2801e1b-2801e53 1634->1636 1635->1636 1640 2801e60 1636->1640 1641 2801e55-2801e58 1636->1641 1642 2801e61 1640->1642 1641->1640 1642->1642
                                                                                                                                    APIs
                                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02801E02
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2206813301.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_2800000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 716092398-0
                                                                                                                                    • Opcode ID: 29010e85ae51ee4b111f202271dbb30a8d80ff89345c24cdcbe2daa8e7657f16
                                                                                                                                    • Instruction ID: 4317be364b1598558f6297b3b3385ca6991c9cacd26785f44e00b2c706bc6766
                                                                                                                                    • Opcode Fuzzy Hash: 29010e85ae51ee4b111f202271dbb30a8d80ff89345c24cdcbe2daa8e7657f16
                                                                                                                                    • Instruction Fuzzy Hash: F751D0B5D003499FDB54CFA9C984ADEBBB5BF48314F24852AE818AB250D774A885CF90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 02801CF0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1643 2801cf0-2801d56 1645 2801d61-2801d68 1643->1645 1646 2801d58-2801d5e 1643->1646 1647 2801d73-2801e12 CreateWindowExW 1645->1647 1648 2801d6a-2801d70 1645->1648 1646->1645 1650 2801e14-2801e1a 1647->1650 1651 2801e1b-2801e53 1647->1651 1648->1647 1650->1651 1655 2801e60 1651->1655 1656 2801e55-2801e58 1651->1656 1657 2801e61 1655->1657 1656->1655 1657->1657
                                                                                                                                    APIs
                                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02801E02
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2206813301.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_2800000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 716092398-0
                                                                                                                                    • Opcode ID: ac3182fed177fe6c03122625200d36f279bbf0e0a35387b5a46fd79e946be2f4
                                                                                                                                    • Instruction ID: 7cc04b8b255f3811ad703b64f2e3460c09e15f3a1f8f2a79e3f20117dd5c1122
                                                                                                                                    • Opcode Fuzzy Hash: ac3182fed177fe6c03122625200d36f279bbf0e0a35387b5a46fd79e946be2f4
                                                                                                                                    • Instruction Fuzzy Hash: 6E41C2B5D00349DFDB14CFA9C984ADEFBB5BF48314F24852AE818AB250D774A885CF90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 02800BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 02804381
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2206813301.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_2800000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CallProcWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2714655100-0
                                                                                                                                    • Opcode ID: 34b16523f51970697924451e82024e6b8eb8b5d748f252d3d393ce854e7174e0
                                                                                                                                    • Instruction ID: de8cb7c78bc8089d7b37718a911be24c5072f0d1f78f3d040933cedd53caebeb
                                                                                                                                    • Opcode Fuzzy Hash: 34b16523f51970697924451e82024e6b8eb8b5d748f252d3d393ce854e7174e0
                                                                                                                                    • Instruction Fuzzy Hash: 54412CB8900305DFCB54CF99C888AAABBF5FF88314F15C559D519A7360D374A845CBA0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00BD4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateActCtxA.KERNEL32(?), ref: 00BD59F1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2205505020.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_bd0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Create
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                    • Opcode ID: 6df0055d38eb7cd3e1f74f0f9867409259e671b373f4f988ddb361246b86d5af
                                                                                                                                    • Instruction ID: f100c19b8edffbb71e2c6c54e062685e21a21b02532c68bbaeb00e1c9b53e64e
                                                                                                                                    • Opcode Fuzzy Hash: 6df0055d38eb7cd3e1f74f0f9867409259e671b373f4f988ddb361246b86d5af
                                                                                                                                    • Instruction Fuzzy Hash: 5241C2B0C00A29CBDB24DFA9C888B9DFBF5FF45304F20816AD409AB255DB756946CF91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00BD593C Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateActCtxA.KERNEL32(?), ref: 00BD59F1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2205505020.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_bd0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Create
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                    • Opcode ID: 8180def4851e3309d4e216afa14b96bc35fde02d8ba5dcc1b816e4dac2bfa7e2
                                                                                                                                    • Instruction ID: 18f268ace8df72e97edbec554c009f626d2c5335c0ca26d39c73aedc7392af3b
                                                                                                                                    • Opcode Fuzzy Hash: 8180def4851e3309d4e216afa14b96bc35fde02d8ba5dcc1b816e4dac2bfa7e2
                                                                                                                                    • Instruction Fuzzy Hash: 1441E2B0C00629CEDB24CFA9C888B9DFBF5FF44304F20816AD418AB254DB756946CF91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00BDD2F9 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BDD387
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2205505020.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_bd0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DuplicateHandle
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3793708945-0
                                                                                                                                    • Opcode ID: 62e43f41dad13898ea91adefe90c8a425782da5a80566ad0073df3871569cc58
                                                                                                                                    • Instruction ID: 165d33c3d67d318b8e1a46a705cf0929bfd9a467e115d47161aef173ac85969c
                                                                                                                                    • Opcode Fuzzy Hash: 62e43f41dad13898ea91adefe90c8a425782da5a80566ad0073df3871569cc58
                                                                                                                                    • Instruction Fuzzy Hash: AA21E9B59002499FDB10CFA9D584AEEFFF4EB48324F14845AE958A3310D374A954CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00BDD300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BDD387
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2205505020.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_bd0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DuplicateHandle
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3793708945-0
                                                                                                                                    • Opcode ID: f2616a23992493e8cd37ceca4b66f4d6df1654cec802da39c77d7a3e9e90b442
                                                                                                                                    • Instruction ID: 5c60d0f313e7a3f9253d3727e27ac9b2d7043a592744cab811063cd0e052b302
                                                                                                                                    • Opcode Fuzzy Hash: f2616a23992493e8cd37ceca4b66f4d6df1654cec802da39c77d7a3e9e90b442
                                                                                                                                    • Instruction Fuzzy Hash: 4D21C4B59002499FDB10CFAAD984ADEFFF4EB48320F14845AE958A3310D378A954CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00BDA870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00BDB101,00000800,00000000,00000000), ref: 00BDB312
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2205505020.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_bd0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1029625771-0
                                                                                                                                    • Opcode ID: c7bec862e208274c8cf376d2bbc52ae486f9cf93f5d1a91417f25bf42ca84852
                                                                                                                                    • Instruction ID: 4b7ec12b6acb10fb18052d06ee166197fc6cf379b769111b3ec700ebae51e44a
                                                                                                                                    • Opcode Fuzzy Hash: c7bec862e208274c8cf376d2bbc52ae486f9cf93f5d1a91417f25bf42ca84852
                                                                                                                                    • Instruction Fuzzy Hash: 531103B68002499FCB10CF9AC444AAEFBF4EB48320F11846AD919A7300D378A945CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 068CA398 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryW.KERNELBASE(00000000), ref: 068CA406
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2213773694.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_68c0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1029625771-0
                                                                                                                                    • Opcode ID: 47028709d82415fe9e3d41019f279a736d70acf94abef3d592399fd956ffbd43
                                                                                                                                    • Instruction ID: d28ab292a76f383a285e56ae513dfbf4c8f9a18c915f1e7275463d96c7ac562c
                                                                                                                                    • Opcode Fuzzy Hash: 47028709d82415fe9e3d41019f279a736d70acf94abef3d592399fd956ffbd43
                                                                                                                                    • Instruction Fuzzy Hash: C41126B5D003598FCB24CFAAD948ADEFBF4AF49324F14842AD519B7210C778A545CFA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00BDB2A4 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00BDB101,00000800,00000000,00000000), ref: 00BDB312
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2205505020.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_bd0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1029625771-0
                                                                                                                                    • Opcode ID: a55ffca9cdef104a620bb7e25401a955eaa336cc8cc3deba4b31e85a731bfee7
                                                                                                                                    • Instruction ID: 6cdb657cc368eaa2c0ab58f7f8e9fe7625fbe1910b89e7458f8ca088dded76ac
                                                                                                                                    • Opcode Fuzzy Hash: a55ffca9cdef104a620bb7e25401a955eaa336cc8cc3deba4b31e85a731bfee7
                                                                                                                                    • Instruction Fuzzy Hash: CD1112B68002499FCB10CFAAC444AEEFBF4EB48320F14846AD819A7300C378A945CFA5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 068CA3A0 Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryW.KERNELBASE(00000000), ref: 068CA406
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2213773694.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_68c0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1029625771-0
                                                                                                                                    • Opcode ID: 6fa17656e766588435954fbfb1e58809c6289c613728433389a9b6d673215fc7
                                                                                                                                    • Instruction ID: 23b7d464ecdecb56e9e49718c01c81c4c61930b7a2d913e827f248112b21f0dd
                                                                                                                                    • Opcode Fuzzy Hash: 6fa17656e766588435954fbfb1e58809c6289c613728433389a9b6d673215fc7
                                                                                                                                    • Instruction Fuzzy Hash: 491104B5C007498FCB24DFAAC948A9EFBF4AF88320F14841AD519B7210C778A545CFA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00BDB01D Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00BDB086
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2205505020.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_bd0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HandleModule
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                    • Opcode ID: 7f015e2ba8f1816683395bdd3c17f3e3646cf1fba047ccef707ea4306cbf33c5
                                                                                                                                    • Instruction ID: 6e991f650f241a74926f0437a0289beff159ec6c2a79eac475bc0ed40abffa43
                                                                                                                                    • Opcode Fuzzy Hash: 7f015e2ba8f1816683395bdd3c17f3e3646cf1fba047ccef707ea4306cbf33c5
                                                                                                                                    • Instruction Fuzzy Hash: 9F11F0B6C00349CFCB10DFAAC444A9EFBF4EF89324F15845AD468A7210D379A945CFA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00BDB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00BDB086
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2205505020.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_bd0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HandleModule
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                    • Opcode ID: 9aa9a74da93d648005d10c7909e49badffe8c2e19b55f97661189d8b55f2ef16
                                                                                                                                    • Instruction ID: 5b1c7411360554fedc4c28fa188589bd8ac372e9b5b74fdc2359068b167a2995
                                                                                                                                    • Opcode Fuzzy Hash: 9aa9a74da93d648005d10c7909e49badffe8c2e19b55f97661189d8b55f2ef16
                                                                                                                                    • Instruction Fuzzy Hash: A811F0B6C003498BCB10DF9AC444A9EFBF4EB48320F15845AD428A7210D379A945CFA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A59D8 Relevance: 1.5, Strings: 1, Instructions: 291COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: d
                                                                                                                                    • API String ID: 0-2564639436
                                                                                                                                    • Opcode ID: 099de681a9aa48e24aa662cdf0fcf7d33b8850072cc2d68f2bcb75ed572d7036
                                                                                                                                    • Instruction ID: 0c2f6504a6ddb888d4b82ad091a15793cce92c8c281f36c2b864358f9027be1c
                                                                                                                                    • Opcode Fuzzy Hash: 099de681a9aa48e24aa662cdf0fcf7d33b8850072cc2d68f2bcb75ed572d7036
                                                                                                                                    • Instruction Fuzzy Hash: 0BC14939604702CFC715CF28C59096ABBF7FF89310B1ACA99D45A8B669D730F946CB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A48A8 Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: + *p^
                                                                                                                                    • API String ID: 0-3484328030
                                                                                                                                    • Opcode ID: f9a9146d848ab115835717ee8ac33883c47c424ecf4c8adac2365214c6544684
                                                                                                                                    • Instruction ID: 2d53cb93e1858c39cfcb2e70a6f9a2e35354985e26baf0d52e756336c5068c80
                                                                                                                                    • Opcode Fuzzy Hash: f9a9146d848ab115835717ee8ac33883c47c424ecf4c8adac2365214c6544684
                                                                                                                                    • Instruction Fuzzy Hash: 34B12638B006048FCB54DF39D588A6ABBF6BF89305B1584A9E546DB376DB70EC05CB50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06181BA0 Relevance: 1.4, Instructions: 1446COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211971092.0000000006180000.00000040.00000800.00020000.00000000.sdmp, Offset: 06180000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_6180000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 27c19f40925cb014345083473dc42c93f56dc3d55d83e2345f247bf25669febf
                                                                                                                                    • Instruction ID: 36397d174834e5a3bd347e3b404100be987a35fbe8fafa78f864c0c35ccfb2fb
                                                                                                                                    • Opcode Fuzzy Hash: 27c19f40925cb014345083473dc42c93f56dc3d55d83e2345f247bf25669febf
                                                                                                                                    • Instruction Fuzzy Hash: 16C25270A402189FDB55DF64CD51EADBBB6FF88700F108099E606AB3A1DB71AE41CF91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A3DE0 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 4']q
                                                                                                                                    • API String ID: 0-1259897404
                                                                                                                                    • Opcode ID: 642166ec74c2ef6308531cf0784ecec9463b0a0dc4d08f7952dac535542f57fb
                                                                                                                                    • Instruction ID: 92671ceaca7d42ca02b9ac1e5a1fefc9e82a97c3552f7374069c9f8a019c3975
                                                                                                                                    • Opcode Fuzzy Hash: 642166ec74c2ef6308531cf0784ecec9463b0a0dc4d08f7952dac535542f57fb
                                                                                                                                    • Instruction Fuzzy Hash: 1E31E43A7042108FC729AB78A49066E7BEADFC6311B15486AE409CF344DE34EC07C791
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A84D8 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 4']q
                                                                                                                                    • API String ID: 0-1259897404
                                                                                                                                    • Opcode ID: d9a6efad8a81e357e1b0f663a7698178785f44d672367b88b2f16c7de9c4f1ec
                                                                                                                                    • Instruction ID: 280f41f06e07481ba3be341f22b8ee2e71f644f995da889f220794c521334794
                                                                                                                                    • Opcode Fuzzy Hash: d9a6efad8a81e357e1b0f663a7698178785f44d672367b88b2f16c7de9c4f1ec
                                                                                                                                    • Instruction Fuzzy Hash: 413181357002049FCB08EB78A5A95AE7BE7AFC8201B50483DE50ACF394EE35AC0687D1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A84C8 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 4']q
                                                                                                                                    • API String ID: 0-1259897404
                                                                                                                                    • Opcode ID: 3aee0d77d6dda745a1da98e8fd507dec89ab4fdd828367397ef8246a999b06b4
                                                                                                                                    • Instruction ID: a4d17661a7c1b7d08f810125fb47203721402ce2882021e2ba1345f7c125cf77
                                                                                                                                    • Opcode Fuzzy Hash: 3aee0d77d6dda745a1da98e8fd507dec89ab4fdd828367397ef8246a999b06b4
                                                                                                                                    • Instruction Fuzzy Hash: 6721A0307002049FCB09AB78A5A956E3BE7AFC9201B50487DE50ACF395EE35EC0687D2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AB358 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 4']q
                                                                                                                                    • API String ID: 0-1259897404
                                                                                                                                    • Opcode ID: 09116e3689a5de870a8e2b523050f3975423b5facd9f8e764d4f957cd5807027
                                                                                                                                    • Instruction ID: 74a7e1241253370315a144cba6993a25333cbd526d0486ffb04b62720b5c77b8
                                                                                                                                    • Opcode Fuzzy Hash: 09116e3689a5de870a8e2b523050f3975423b5facd9f8e764d4f957cd5807027
                                                                                                                                    • Instruction Fuzzy Hash: 6F018C34909249AFCB08EFB8E58449CBFF5BF45300F2445A9D886DB261DB345A85CB51
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A3EC8 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 4']q
                                                                                                                                    • API String ID: 0-1259897404
                                                                                                                                    • Opcode ID: cef0d3ba163f0177fbee6f981654319a3e3de97a85511e9d8804fb073a7a4952
                                                                                                                                    • Instruction ID: 2c57b6644b8ddfecabe8a12ec68287916c152cf4c1b75b5d9f7058cabfc77cd3
                                                                                                                                    • Opcode Fuzzy Hash: cef0d3ba163f0177fbee6f981654319a3e3de97a85511e9d8804fb073a7a4952
                                                                                                                                    • Instruction Fuzzy Hash: 85F06D313401014F861CEB29E99196E7BEADFCA211B144929E04A8F258EF64FD0A83A1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AB368 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 4']q
                                                                                                                                    • API String ID: 0-1259897404
                                                                                                                                    • Opcode ID: ed66abdb5aa160d64eb93bbc8837e19754f28eb648d4ec77b1e0d3007b3b795d
                                                                                                                                    • Instruction ID: d42bc9fd1234f73119d8de26352b80cca02d1dbd60672e4e2f3de58f61b63089
                                                                                                                                    • Opcode Fuzzy Hash: ed66abdb5aa160d64eb93bbc8837e19754f28eb648d4ec77b1e0d3007b3b795d
                                                                                                                                    • Instruction Fuzzy Hash: 4CF08C74A05208EFCB08EFB8E58485CBBBAFF44301F1041A8D8069B314DB345E04CB81
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061800D8 Relevance: .7, Instructions: 676COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211971092.0000000006180000.00000040.00000800.00020000.00000000.sdmp, Offset: 06180000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_6180000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 81cfef46cd121f95197e376e7153a49d765032bf1c44bdab032a5d0054c10f27
                                                                                                                                    • Instruction ID: 65f9f7a59ab4a2aac1e598e5caf48430b9ca99c9e715d9a6147de439e92c8f3c
                                                                                                                                    • Opcode Fuzzy Hash: 81cfef46cd121f95197e376e7153a49d765032bf1c44bdab032a5d0054c10f27
                                                                                                                                    • Instruction Fuzzy Hash: 654279307406198FCB69AF78D550A6EBBB2FF86305B01095CE5039B395CF79ED098B86
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06183838 Relevance: .6, Instructions: 637COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211971092.0000000006180000.00000040.00000800.00020000.00000000.sdmp, Offset: 06180000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_6180000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 9fd92cab0adafc122f4c27fb86222be39799e4ce7dc4a53cc1f34301a20dbd17
                                                                                                                                    • Instruction ID: d791a0347e9fe6526e3fcb92fd7d36ca53d85e8a68d93fd040de57d70d25f477
                                                                                                                                    • Opcode Fuzzy Hash: 9fd92cab0adafc122f4c27fb86222be39799e4ce7dc4a53cc1f34301a20dbd17
                                                                                                                                    • Instruction Fuzzy Hash: 48421634B402148FCB44DFA9C994EA9BBF6EF89704F1580A9E506DB3A6DB71ED40CB50
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06180598 Relevance: .5, Instructions: 462COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211971092.0000000006180000.00000040.00000800.00020000.00000000.sdmp, Offset: 06180000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_6180000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 241a8083380b58e8fd3fc368734224601a0454ec6d52eac3d338076e2b5d1135
                                                                                                                                    • Instruction ID: b94b7ca1bac20bfdde176bc8717266ab0e36af9dd932477163c20944513b2896
                                                                                                                                    • Opcode Fuzzy Hash: 241a8083380b58e8fd3fc368734224601a0454ec6d52eac3d338076e2b5d1135
                                                                                                                                    • Instruction Fuzzy Hash: C4029C307403188FDB58AB64D954A2E7BB2FF8A705F014958E5029F3A1CF7AED09CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06180610 Relevance: .5, Instructions: 453COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211971092.0000000006180000.00000040.00000800.00020000.00000000.sdmp, Offset: 06180000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_6180000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 886658da462413ad32681e9ec758f094e22ee1f8183533a1ae90b124e546452b
                                                                                                                                    • Instruction ID: cd0cb23c277dd640a784a8171cf8bb03bb6b374536f61fe73b2df83a33ad4d45
                                                                                                                                    • Opcode Fuzzy Hash: 886658da462413ad32681e9ec758f094e22ee1f8183533a1ae90b124e546452b
                                                                                                                                    • Instruction Fuzzy Hash: 4202BF307403188FDB54AB64D954A2E7BB2FF89705F014958E9029F3A1CFBAED09CB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06180688 Relevance: .4, Instructions: 389COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211971092.0000000006180000.00000040.00000800.00020000.00000000.sdmp, Offset: 06180000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_6180000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: d07f7ce7d1bb572a19c9a00d3dad0f62739ce495ba68b44176c51300c0e8dfa9
                                                                                                                                    • Instruction ID: 3dd828a9f32bd6a3d6088c012bf433abf8975d58851fb5f8339034fda572f603
                                                                                                                                    • Opcode Fuzzy Hash: d07f7ce7d1bb572a19c9a00d3dad0f62739ce495ba68b44176c51300c0e8dfa9
                                                                                                                                    • Instruction Fuzzy Hash: 27E1B134B403088FDB54AB64C954A2A7BB6FF89705F114859E9029F3A1CFBADD09CF91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 06180700 Relevance: .4, Instructions: 364COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211971092.0000000006180000.00000040.00000800.00020000.00000000.sdmp, Offset: 06180000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_6180000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 22707c6e87e5501a1444504705620fcdf879eff7d6e0e7ccfb0e5f7504618b78
                                                                                                                                    • Instruction ID: cd5aa570541a5c3150142ac18ad6a343637996a2d1620015d5c9618658027ad2
                                                                                                                                    • Opcode Fuzzy Hash: 22707c6e87e5501a1444504705620fcdf879eff7d6e0e7ccfb0e5f7504618b78
                                                                                                                                    • Instruction Fuzzy Hash: 12D1BF30B403088FEB44AB64C954B3A7BB6FF89705F118459E9029B3A1CBBADD45CF91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061800B7 Relevance: .3, Instructions: 339COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211971092.0000000006180000.00000040.00000800.00020000.00000000.sdmp, Offset: 06180000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_6180000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: b706eaec653632ee354fd9abf323f8d89a22f2a956029f492217de955690ea0c
                                                                                                                                    • Instruction ID: adde3091c893bdca841258c4c3ee9343e201417fe4691e984d9d13251a6817bd
                                                                                                                                    • Opcode Fuzzy Hash: b706eaec653632ee354fd9abf323f8d89a22f2a956029f492217de955690ea0c
                                                                                                                                    • Instruction Fuzzy Hash: 68C17034B013089FEB44AB64C954B697BB6FF8D701F118459E9029B3A1CBB9DC45CF91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A7D58 Relevance: .1, Instructions: 147COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 280545a3f78fae533cbc390213d69900d3c62001881f6cbae50b74b8ea1eefd5
                                                                                                                                    • Instruction ID: c07676993e82969a5b7f98850b98ef6a92e66de56284a993c15c43a306f50c44
                                                                                                                                    • Opcode Fuzzy Hash: 280545a3f78fae533cbc390213d69900d3c62001881f6cbae50b74b8ea1eefd5
                                                                                                                                    • Instruction Fuzzy Hash: 9C513879E00358DFDB55CFAAC8847DEBBF5AF88310F148429D419AB294DB749A42CF80
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061834D8 Relevance: .1, Instructions: 143COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211971092.0000000006180000.00000040.00000800.00020000.00000000.sdmp, Offset: 06180000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_6180000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: d76c9a97eb407ae6024745070c5a685ba8224206b9ed62adcba6e3447d79fb51
                                                                                                                                    • Instruction ID: 89bc3b2919f0961e45e941776f4512e7360be1031326378fc6d2128df95e267a
                                                                                                                                    • Opcode Fuzzy Hash: d76c9a97eb407ae6024745070c5a685ba8224206b9ed62adcba6e3447d79fb51
                                                                                                                                    • Instruction Fuzzy Hash: 25515935B106059FCB44DFA9C884D9EBBF2FF89710B158069E915AB361DB31EC05CB60
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A7D4C Relevance: .1, Instructions: 130COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 22589ad5efb7a9e6fdf5b476fbbd9016020dbeef3b3ff783208828f4db3cdb6e
                                                                                                                                    • Instruction ID: 489052781b00c913a9e613a26ca1faa07e40edd7e3f37f1722318d6ad7a9ea23
                                                                                                                                    • Opcode Fuzzy Hash: 22589ad5efb7a9e6fdf5b476fbbd9016020dbeef3b3ff783208828f4db3cdb6e
                                                                                                                                    • Instruction Fuzzy Hash: 445149B8D00318DFDB55CFAAC885BDEBBF5AF48310F148429E419AB284DB749942CF91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A59C8 Relevance: .1, Instructions: 118COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 2696d56e3e689fc16fde1eb9d5173bfbff81a0800eb051dfbdbb7a9559deace5
                                                                                                                                    • Instruction ID: 50fe0a72e41c002a168f3f310e8bd46315d2d786f3729eb5cf5979a3f9af533c
                                                                                                                                    • Opcode Fuzzy Hash: 2696d56e3e689fc16fde1eb9d5173bfbff81a0800eb051dfbdbb7a9559deace5
                                                                                                                                    • Instruction Fuzzy Hash: 46416539A04606CFCB11CF59C8809AABBF3FF89310B19C999E5599B265D730F911CB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A5579 Relevance: .1, Instructions: 101COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: b4756cda2bbc39fb84cfe1019e9c463ff9c049fdae66093e7eda1cb08c156fd0
                                                                                                                                    • Instruction ID: 222ff7b751e90a13bf8fb76aca5072a0ed1d9e87d7265d16f28ff1eafe270441
                                                                                                                                    • Opcode Fuzzy Hash: b4756cda2bbc39fb84cfe1019e9c463ff9c049fdae66093e7eda1cb08c156fd0
                                                                                                                                    • Instruction Fuzzy Hash: 0F314C79B012109FCB55DF38D88496EBBB6FF89310B548469E905CB365DB31ED05CB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A5588 Relevance: .1, Instructions: 96COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 0c284ac238d827db1c7520985134d989ebda24405ed05d36c1b08bfb10e1f0a0
                                                                                                                                    • Instruction ID: 5b09527e6c49d6910d22c9628c39b7bb2fab3ca97bdbe5e77052684c6d1e037f
                                                                                                                                    • Opcode Fuzzy Hash: 0c284ac238d827db1c7520985134d989ebda24405ed05d36c1b08bfb10e1f0a0
                                                                                                                                    • Instruction Fuzzy Hash: FA316B79B012109FCB55DF38D88896EBBB6FF89310B548469E906CB365DB31ED05CB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A87A0 Relevance: .1, Instructions: 93COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: d06df918b674c74b7c7ed74da30d56b5a8b3f614af13e2dea1730093162ca5c2
                                                                                                                                    • Instruction ID: a98d5b64d67b5265191f889c69388ff4963a04a53aaad06859183899f3edd03b
                                                                                                                                    • Opcode Fuzzy Hash: d06df918b674c74b7c7ed74da30d56b5a8b3f614af13e2dea1730093162ca5c2
                                                                                                                                    • Instruction Fuzzy Hash: 664101B5D01248DFDB54DFAAD944ADEFBB6AF88310F10842AE419B7250DB34A945CF90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A8796 Relevance: .1, Instructions: 80COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 3ede887b221be3e846d6b8ea02a0e995e20c9a946c81827662485db1f92e850b
                                                                                                                                    • Instruction ID: b3c9811096102d3e99b9a01a05e681f698dba37715fd4f043a9b4d4465d2f40c
                                                                                                                                    • Opcode Fuzzy Hash: 3ede887b221be3e846d6b8ea02a0e995e20c9a946c81827662485db1f92e850b
                                                                                                                                    • Instruction Fuzzy Hash: 0C31F2B1D012489FDB54DFAAD984ADEBFF6AF88300F14842AE419B7250DB349945CF94
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A8A98 Relevance: .1, Instructions: 77COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 2d2479afbe1fcf8642a1a5ea84f4ac3ce63a3c341e8980e8f20ecd76be90fd45
                                                                                                                                    • Instruction ID: 575488bc3b0f08e0e5175e0b110640152c702fc986b7e820ee95ff24af21103f
                                                                                                                                    • Opcode Fuzzy Hash: 2d2479afbe1fcf8642a1a5ea84f4ac3ce63a3c341e8980e8f20ecd76be90fd45
                                                                                                                                    • Instruction Fuzzy Hash: CE3111B5D01358DFDB94CFA9D884ADEBBF9EF48310F24852AE409B7240CB34A845CB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00A3D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2205021438.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_a3d000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 0df348b4f90c8106fd7d6b8a9f39afe04cbf69600a5ef606ccff8d1138d78e1a
                                                                                                                                    • Instruction ID: 89f963fcbe52791edcd85777afa3b701ef0ebd7a1fbd0250680a91abeca8af70
                                                                                                                                    • Opcode Fuzzy Hash: 0df348b4f90c8106fd7d6b8a9f39afe04cbf69600a5ef606ccff8d1138d78e1a
                                                                                                                                    • Instruction Fuzzy Hash: 0D213472600240EFCB05DF24E9C0F26BF65FB98318F24C569F9090B256C33AD856DBA2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00A3D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2205021438.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_a3d000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 11d52ce5f57345b165e662bbf3be8279e2bbc6adbd1f443f344b01b260f69549
                                                                                                                                    • Instruction ID: 7bdcd50eba3897de126f0d64b60813c5ca075804a0473e88665feb45987cdac0
                                                                                                                                    • Opcode Fuzzy Hash: 11d52ce5f57345b165e662bbf3be8279e2bbc6adbd1f443f344b01b260f69549
                                                                                                                                    • Instruction Fuzzy Hash: 05213771504204DFDB05DF14E9C0F26BF65FB98324F24C569E9090F256C33AE856DBA2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00A9D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2205122852.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_a9d000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: bd0a470da0ce40b7c2f0690e5a62ac9dc2ec0a1015104c87fd756f01150f8cd3
                                                                                                                                    • Instruction ID: 02e305bf47e2544ecd0d5d2fb1d9bbea8051b78ad6fb092fb65e2cde991bed31
                                                                                                                                    • Opcode Fuzzy Hash: bd0a470da0ce40b7c2f0690e5a62ac9dc2ec0a1015104c87fd756f01150f8cd3
                                                                                                                                    • Instruction Fuzzy Hash: 3F21F271604244DFDF14DF24D984B26BFA5FB84314F24C969D94A4B256C33AD887CA61
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A8A8C Relevance: .1, Instructions: 63COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 5c785c9c1c4f8d05c0e4755c696d9015309d17aa808538ae4f47bb571305d200
                                                                                                                                    • Instruction ID: 07a8ffe3ce05fdeaa379c6dcebacb684ebf8791754952f4c23f62ba53a1d1144
                                                                                                                                    • Opcode Fuzzy Hash: 5c785c9c1c4f8d05c0e4755c696d9015309d17aa808538ae4f47bb571305d200
                                                                                                                                    • Instruction Fuzzy Hash: 1E2126B5D01348DFDB54CFA9C995B9EBBF9AF08300F14852AE409B7240DB74A845CB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00A9D006 Relevance: .1, Instructions: 60COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2205122852.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_a9d000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 3262f20342e519fbd0657decd77494d2fc4c0b11cd1eddd91aedbb7254f8260a
                                                                                                                                    • Instruction ID: b803c9bb90a5ca2175317a8d9d0d1c26b9c32e5437c93f3c8d1a93c516e362cd
                                                                                                                                    • Opcode Fuzzy Hash: 3262f20342e519fbd0657decd77494d2fc4c0b11cd1eddd91aedbb7254f8260a
                                                                                                                                    • Instruction Fuzzy Hash: 1221C3755093808FDB02CF24D994715BFB1FB46314F28C5EAD8498B697C33AD84ACB62
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A8C58 Relevance: .1, Instructions: 57COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 703a568f01395ca2a919ea9558a0e1045c1d43e9f3f328d801763e2bf38df4b8
                                                                                                                                    • Instruction ID: 5650581c02f06abf675669bc09b8822cce79be6a450e87f155d1e64de418c2bf
                                                                                                                                    • Opcode Fuzzy Hash: 703a568f01395ca2a919ea9558a0e1045c1d43e9f3f328d801763e2bf38df4b8
                                                                                                                                    • Instruction Fuzzy Hash: 1921D074E062189FCB48CFA9E848ADCBBB1BB89310F10912AE805B3360EB741906CF54
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061ABC5F Relevance: .1, Instructions: 57COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 64369b386235d87947f95760983bc88700ae7ed9934202d6972fcf9033dd741b
                                                                                                                                    • Instruction ID: 4a6d23df75f86d5186fc71e6d9f59804cc882f7579521438c6e30399c6a649f7
                                                                                                                                    • Opcode Fuzzy Hash: 64369b386235d87947f95760983bc88700ae7ed9934202d6972fcf9033dd741b
                                                                                                                                    • Instruction Fuzzy Hash: A911C2352142154FC78DAB34A55496E7BAFEEC2341F14082DE187CB625DF34A94AC7D1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00A3D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2205021438.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_a3d000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                                                                                                                                    • Instruction ID: bbcc90a2eed3146970e1864b8134cf1350f0896277ed799083092cfae2452ed3
                                                                                                                                    • Opcode Fuzzy Hash: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                                                                                                                                    • Instruction Fuzzy Hash: 7711E676504280CFCB16CF14D9C4B16BF71FB94318F24C6A9E9494B616C336D85ACBA2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00A3D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2205021438.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_a3d000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                                                                                                                                    • Instruction ID: 38eb5aaa051c44c8cee1793dd05dc7e292905439a5714174a6100fb918a1502d
                                                                                                                                    • Opcode Fuzzy Hash: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                                                                                                                                    • Instruction Fuzzy Hash: 9E112972404240CFCF02CF10D5C4B16BF71FB94314F24C6A9E9490B616C33AD456CBA1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A8350 Relevance: .0, Instructions: 50COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: ed94254b1b57034d9db75c937203d850fc88756413229e41ba2d4e9a7ff53166
                                                                                                                                    • Instruction ID: f50065e1cb65aced67b96a1709de89ff7f92c315bc928880de335fcff08c5c95
                                                                                                                                    • Opcode Fuzzy Hash: ed94254b1b57034d9db75c937203d850fc88756413229e41ba2d4e9a7ff53166
                                                                                                                                    • Instruction Fuzzy Hash: 4D017171B102199BDF10DAA9AC45AAFBBAEEB84351F148036E514D3240DB30A91587A1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AC499 Relevance: .0, Instructions: 48COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 11fb2f72d6610d0cd7c7dc015693f7db32e36d14389380cabcef866f387e4d31
                                                                                                                                    • Instruction ID: 326da4ffefe588d3fd757823c5cb78a0dbfe4bc41cfdf8a8d8036e055bc3b696
                                                                                                                                    • Opcode Fuzzy Hash: 11fb2f72d6610d0cd7c7dc015693f7db32e36d14389380cabcef866f387e4d31
                                                                                                                                    • Instruction Fuzzy Hash: 1A1182312043008FD329AF75E54455E7BE7EFC5352F108A29D4878B695CF78990ACB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061ABC70 Relevance: .0, Instructions: 46COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 6fff37125cff1c5807e7a4e28af676b301883690a2e2637b460bc5b841b0ba2b
                                                                                                                                    • Instruction ID: d42dac793345110814729613ce5c0de2b64528c723dbd89ec33f0737e98835a9
                                                                                                                                    • Opcode Fuzzy Hash: 6fff37125cff1c5807e7a4e28af676b301883690a2e2637b460bc5b841b0ba2b
                                                                                                                                    • Instruction Fuzzy Hash: E801B1362101114BCA8CA738E69492E7AAFEFC1391F444828E1078F614DF34BD4A87D1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00A3DA25 Relevance: .0, Instructions: 45COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2205021438.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_a3d000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 9b6e93d653b9b5e0a8c340f7a662e58af376fbffc2952fdc766013bc6020342d
                                                                                                                                    • Instruction ID: bccd9f02a6c7eaa0492fad0c5381d550d98a480f40d4b72cb39b6e13ce0905dd
                                                                                                                                    • Opcode Fuzzy Hash: 9b6e93d653b9b5e0a8c340f7a662e58af376fbffc2952fdc766013bc6020342d
                                                                                                                                    • Instruction Fuzzy Hash: 5E012B71808744DAD7108B29DE84B67BFECEF413A5F18C82AFD085B246C2789C44CAB1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AE8B0 Relevance: .0, Instructions: 43COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 868503a5129769cde9b6a968849935586e1105efdaf6819469162f122823b3c7
                                                                                                                                    • Instruction ID: 2f42c189674db441b680ab77fc1b7182fe9680fada14e51f8335393dd7273175
                                                                                                                                    • Opcode Fuzzy Hash: 868503a5129769cde9b6a968849935586e1105efdaf6819469162f122823b3c7
                                                                                                                                    • Instruction Fuzzy Hash: B801A2346083489FCB069F78D81486A7FBAEF86300B1488EAE945CB262DB36DD15D781
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AC4A8 Relevance: .0, Instructions: 42COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 4db217fa85d09ac326a6c9b81b4606e594a1a4bb03a0143e9d84853c34ebb943
                                                                                                                                    • Instruction ID: 60b1623228d411c528ddd2e4c9e26ea8512c0cf4eff8eee45c393041fbd3bd55
                                                                                                                                    • Opcode Fuzzy Hash: 4db217fa85d09ac326a6c9b81b4606e594a1a4bb03a0143e9d84853c34ebb943
                                                                                                                                    • Instruction Fuzzy Hash: 7E019E312042048FD328AF65E54865E77EBEFC5352F108A29E14B87788CF78E90ACB91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A5508 Relevance: .0, Instructions: 42COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: fa62ed8b621f7188b14271d287146a70d6b04a5c865353cd7bff4bedf3fcbfd4
                                                                                                                                    • Instruction ID: f27ce056414e967396d39d19db311cf663388100601f2298c06bbff8b05eac2b
                                                                                                                                    • Opcode Fuzzy Hash: fa62ed8b621f7188b14271d287146a70d6b04a5c865353cd7bff4bedf3fcbfd4
                                                                                                                                    • Instruction Fuzzy Hash: C701A438A19702CFDBAD9A39E504527B7FBFF84215B18883DE40686615EB75E484CB90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A6E90 Relevance: .0, Instructions: 42COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: f5cbfa5ef2156a4fed512b5331a709d901f66821ddd33520c550142751b30ec7
                                                                                                                                    • Instruction ID: 237a9f6f94f0a236eab226fc82f7c3effc1cb35be259af9a490fea8908c9f993
                                                                                                                                    • Opcode Fuzzy Hash: f5cbfa5ef2156a4fed512b5331a709d901f66821ddd33520c550142751b30ec7
                                                                                                                                    • Instruction Fuzzy Hash: 07F096772041D83FCB558E9A9C51EFB3FEDDB8D261F084156FE99D2141C428C96197B0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A8F42 Relevance: .0, Instructions: 38COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 1541d546e1c700cb137e0d35563262ee64b8cffa0e407d4112e9cd63be1faedb
                                                                                                                                    • Instruction ID: 49a4ed02017c275438bdd05ec9e8f496bf20dd0e013d9cf456acb08051a386d6
                                                                                                                                    • Opcode Fuzzy Hash: 1541d546e1c700cb137e0d35563262ee64b8cffa0e407d4112e9cd63be1faedb
                                                                                                                                    • Instruction Fuzzy Hash: F401C4B8D0521AEFDB44DFA4D944AAEBBF1BB48301F2089AAE815A3340D7745A41CF91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A8F50 Relevance: .0, Instructions: 37COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 4099e9745668e2bc44369949e4fad242f4857565e6b3c1979a73101e52a2c614
                                                                                                                                    • Instruction ID: f906905731427f7348183d65db7c62e0f6c071dc55620c458f4db44ffe69a3b6
                                                                                                                                    • Opcode Fuzzy Hash: 4099e9745668e2bc44369949e4fad242f4857565e6b3c1979a73101e52a2c614
                                                                                                                                    • Instruction Fuzzy Hash: 3F01D2B8D0521AEFCB84DFA9D9446AEFBF1BB48301F2084AAD815A3350E7740A41CF90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AADE9 Relevance: .0, Instructions: 37COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: e829376402d7ed9b7badadcd07b572027ce8646fcb69abbd6194f2665e76a2fa
                                                                                                                                    • Instruction ID: d62ea8997533f008926ebe21119c1597e31317e4bf9e38074ee2010078a6994e
                                                                                                                                    • Opcode Fuzzy Hash: e829376402d7ed9b7badadcd07b572027ce8646fcb69abbd6194f2665e76a2fa
                                                                                                                                    • Instruction Fuzzy Hash: 3AF0E23120A3406FC3152B7ABC49A9A7FEADFCB751F04046EF18AC7253CA251808C7A1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 00A3DA24 Relevance: .0, Instructions: 36COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2205021438.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_a3d000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 6e6fb486b44f66f51b52ab30446f3f67ad12588f94d9931815dc552901e32077
                                                                                                                                    • Instruction ID: 02cded3cd44f0cf1e94658b9da9c582486720aa180e2c2fb41d6e5350852f43b
                                                                                                                                    • Opcode Fuzzy Hash: 6e6fb486b44f66f51b52ab30446f3f67ad12588f94d9931815dc552901e32077
                                                                                                                                    • Instruction Fuzzy Hash: 2CF0C271408344DEE7108F1ADD84B62FF98EF51774F18C85AED085A286C278AC44CAB1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AC170 Relevance: .0, Instructions: 36COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: ae9f2c862ccede5ad9829ed51d353cd1a03aa8403ccbc7a2c0c9abe62867d801
                                                                                                                                    • Instruction ID: 46bba8c973d1fdc5eb530ab4021d823a9c5ed7f1dc5bf4167e9f87a6fd76a1e3
                                                                                                                                    • Opcode Fuzzy Hash: ae9f2c862ccede5ad9829ed51d353cd1a03aa8403ccbc7a2c0c9abe62867d801
                                                                                                                                    • Instruction Fuzzy Hash: 1A018F31405B058FC315AF32E408052BBF6FF49340B10891ED4C6C2611DB34A54ACF84
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A6EA0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: caf3b36b917d5418be2a89def7c0e998ed43f4e3e306a98acdc0082222804ad6
                                                                                                                                    • Instruction ID: 8328f93ffe3c6ee8ce367e59e8b53c90dadd1ed44491971b2612412e8715ae40
                                                                                                                                    • Opcode Fuzzy Hash: caf3b36b917d5418be2a89def7c0e998ed43f4e3e306a98acdc0082222804ad6
                                                                                                                                    • Instruction Fuzzy Hash: C2F012672081E83F8B554EAA5C50CFB7FEDDA8E162B084156FE98D2141C429C921ABB0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AFF50 Relevance: .0, Instructions: 35COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 9b6ecb9c1fb19c430a88aefb0d561d50fe9b0fe4625ba760054a0e0a6f0225f6
                                                                                                                                    • Instruction ID: 006225dd6a3b8d0de0b8ebf44217e78b4c1b14828633958842234036d5b1552c
                                                                                                                                    • Opcode Fuzzy Hash: 9b6ecb9c1fb19c430a88aefb0d561d50fe9b0fe4625ba760054a0e0a6f0225f6
                                                                                                                                    • Instruction Fuzzy Hash: F5F0BE323082045FD3008F6A9C509A7FFEEEF89B20B1580ABE544C7362CA71AC0087A4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AACB8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: d700279506c7f0dd0caa74959cfddd5d8402cb7040187388245207420c3cd952
                                                                                                                                    • Instruction ID: 3979fa29d75635dad8296bd094ba855c4916b55dfad65d2d0dbed5021e99a68c
                                                                                                                                    • Opcode Fuzzy Hash: d700279506c7f0dd0caa74959cfddd5d8402cb7040187388245207420c3cd952
                                                                                                                                    • Instruction Fuzzy Hash: 23F0527260A3A41FC31A17387C1C0BD3FA9DDC6A4230800DFE1C2CB292CB188A06C7E1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A67C8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 8d1aeeaa5e9cf1a707c798a2ccb5739e8168f7c9996437bcfdfd051287ec925e
                                                                                                                                    • Instruction ID: 466bf91833bd9643fa8d012e6764c1557458ccaeef3247c0d3372bb1f56e7d7a
                                                                                                                                    • Opcode Fuzzy Hash: 8d1aeeaa5e9cf1a707c798a2ccb5739e8168f7c9996437bcfdfd051287ec925e
                                                                                                                                    • Instruction Fuzzy Hash: EDF09035B54300AFD7208A68E845F567FEDEB86751F158166F214CF1E2D7B1E805D780
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AC110 Relevance: .0, Instructions: 33COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 20ec6d89617c46edd5c0b2a287b42537f7dfd52d532e4ac89ff044025c8eb5f7
                                                                                                                                    • Instruction ID: f92bc37a3a99567098a326a3c3c8a45d1cb27a3ac084bef3470ff5d8c0e7f14f
                                                                                                                                    • Opcode Fuzzy Hash: 20ec6d89617c46edd5c0b2a287b42537f7dfd52d532e4ac89ff044025c8eb5f7
                                                                                                                                    • Instruction Fuzzy Hash: 1FF0F6301093E08FC312DB38E914A9B7FFADF82304F04046EE1C2CB652CA65A909CBD1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A8FC0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: dba411e2f1a9f50ca3263970a182e4e8397132be999a981f98816a29b9adfaec
                                                                                                                                    • Instruction ID: 1e7547d5a1a3a0a492b626440cf9c4aeb55e6259116d67df57104510aadfa34a
                                                                                                                                    • Opcode Fuzzy Hash: dba411e2f1a9f50ca3263970a182e4e8397132be999a981f98816a29b9adfaec
                                                                                                                                    • Instruction Fuzzy Hash: EFF049B9C0925A9FDB80DBA4C8555AEBFB0EB5A201F0045DAE846E7251E7395A41CB40
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A8341 Relevance: .0, Instructions: 32COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: c2e907dad7010bd90dfd8a09285c32cd6f2aa5335f282a77c8ce4a1bfb3af901
                                                                                                                                    • Instruction ID: b823326113b3ffbd89a445fe3449e2ea33a134e764541f5481f29ddccf4d9690
                                                                                                                                    • Opcode Fuzzy Hash: c2e907dad7010bd90dfd8a09285c32cd6f2aa5335f282a77c8ce4a1bfb3af901
                                                                                                                                    • Instruction Fuzzy Hash: BAF0A032F202195B8F51DAA9AC859AFBFFDEB88261B084026EA14C3100EB30D815C7A1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A54F8 Relevance: .0, Instructions: 31COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 50c6fb6fdbf79310db473e55c885b18b16014b44b04b1d1f452b5a7c2a8b4b28
                                                                                                                                    • Instruction ID: 9e30f818ab652c07951e537aa0c85f9d9f5da2f14ec97fa7e5652cc854e94a3b
                                                                                                                                    • Opcode Fuzzy Hash: 50c6fb6fdbf79310db473e55c885b18b16014b44b04b1d1f452b5a7c2a8b4b28
                                                                                                                                    • Instruction Fuzzy Hash: C1F0B4399087418FDBA9CE21D54076B7BB3BF80325F49986DE04246925D775E585CB40
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AFF60 Relevance: .0, Instructions: 30COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: e70af43f5931e90ff3ba1bd9059e0750a4a78010a79874b2fa37993401bd9fef
                                                                                                                                    • Instruction ID: f0619e847fdcad735da199125f020b17d38c66394e7b2ba27faebdd06e540cb2
                                                                                                                                    • Opcode Fuzzy Hash: e70af43f5931e90ff3ba1bd9059e0750a4a78010a79874b2fa37993401bd9fef
                                                                                                                                    • Instruction Fuzzy Hash: 1FE065717041145FD3049E9E9C40D5BFBEDEFD9A20B11406AF504D7351CA70AC0186A4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AAC60 Relevance: .0, Instructions: 30COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 4f81ee5cb9a27e091015f9fbbf47be115a3b76914295f09d6a91b0d0a657f880
                                                                                                                                    • Instruction ID: 1dc2ad814b98025a914e0a37350e39cbf327959a484886dc1b2d97092699389c
                                                                                                                                    • Opcode Fuzzy Hash: 4f81ee5cb9a27e091015f9fbbf47be115a3b76914295f09d6a91b0d0a657f880
                                                                                                                                    • Instruction Fuzzy Hash: 42F082226493E51FC61757387C284AD3F6ADEC7611705009BE5C58B293CD580A45C7D5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AADF8 Relevance: .0, Instructions: 28COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: dd1b7cccf5dd187df03a533586557f21087cd3a77b550dd41508f84c1ddaa221
                                                                                                                                    • Instruction ID: 76bce57a0ac230c1857682be85537917e3e124f6038bdd8d83f48ea73e2c5039
                                                                                                                                    • Opcode Fuzzy Hash: dd1b7cccf5dd187df03a533586557f21087cd3a77b550dd41508f84c1ddaa221
                                                                                                                                    • Instruction Fuzzy Hash: 53E092312052046FC7186A5AB989A9E7BDEEBCA391F00402DF20EC7242CE65580587A5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AC180 Relevance: .0, Instructions: 27COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: ec809267e112d195bf4433a7aa3bdf66e595e3165adefc8849c8042402202614
                                                                                                                                    • Instruction ID: 798e799231d282b601be0517ab142ab937cd3471632d5c97bcf21fa5f88bc45a
                                                                                                                                    • Opcode Fuzzy Hash: ec809267e112d195bf4433a7aa3bdf66e595e3165adefc8849c8042402202614
                                                                                                                                    • Instruction Fuzzy Hash: B0F09074501B158FD715EF26E408512FBFAFB88341F00C62EE84B82A10DB70A90ACFC4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AB500 Relevance: .0, Instructions: 25COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 93925968c7f695ab71f2c06e2fae65ea163b570f9dc39bb1437503e96c647abf
                                                                                                                                    • Instruction ID: 39adb37bd6a0ea7d1f8a543d0599d1685e3438b5e3fb9ccd8ad1e68cb3cc7174
                                                                                                                                    • Opcode Fuzzy Hash: 93925968c7f695ab71f2c06e2fae65ea163b570f9dc39bb1437503e96c647abf
                                                                                                                                    • Instruction Fuzzy Hash: 66F0AE75D1120CAFCB41DFF4D9488CEBBB9EB88340F1082AAE945E7244EA706B55DF91
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AC120 Relevance: .0, Instructions: 25COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 449cd3bf913eb249c12fcf6805d42b9fb98f22e8a7adc831692e86292e3631e5
                                                                                                                                    • Instruction ID: e41995b0e6d278607a0c884bfd0e43f41c5030f5367f379603dcd8e5bb6a57c4
                                                                                                                                    • Opcode Fuzzy Hash: 449cd3bf913eb249c12fcf6805d42b9fb98f22e8a7adc831692e86292e3631e5
                                                                                                                                    • Instruction Fuzzy Hash: EAE0ED302047648FC724AB2DF908BAF7BEEDF82344F04042DE2878B711CBA5A8058BD1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061ACC38 Relevance: .0, Instructions: 25COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 67a40e215d2336c982a318e3045be77b7043e970ede3340d82766ce15ad3f8ff
                                                                                                                                    • Instruction ID: f518ea6d4135a0468b5adf759b420fd2101ca6d458bcbfb9070c86166437f51f
                                                                                                                                    • Opcode Fuzzy Hash: 67a40e215d2336c982a318e3045be77b7043e970ede3340d82766ce15ad3f8ff
                                                                                                                                    • Instruction Fuzzy Hash: B7E0D83210AB508FD725AF34F8406997BB4EF62320F014069D086CB629D734088ACBE1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A5698 Relevance: .0, Instructions: 23COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 6987fc1284511ae7b7864bd1003e2e76b98c82cd6c292dbc8528bdc6ced57cdf
                                                                                                                                    • Instruction ID: 9e9bf3a8fe55597cd6b512e357085612116ee380b09205938e62b9853e10d602
                                                                                                                                    • Opcode Fuzzy Hash: 6987fc1284511ae7b7864bd1003e2e76b98c82cd6c292dbc8528bdc6ced57cdf
                                                                                                                                    • Instruction Fuzzy Hash: D8E0D8B210C3509FD305DB34E801896BBE8EF91310F058CAEE4C0C7242E732D842C7A9
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AE280 Relevance: .0, Instructions: 23COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 79ac14374319a96be3142bfba2133d513007c1bb68584c39e39eeb30a83b7a42
                                                                                                                                    • Instruction ID: f146e5ee18d74a66bc7b6439e23fad9941619f25b7824684d438fbc388d0b477
                                                                                                                                    • Opcode Fuzzy Hash: 79ac14374319a96be3142bfba2133d513007c1bb68584c39e39eeb30a83b7a42
                                                                                                                                    • Instruction Fuzzy Hash: E0E0D832509B508FEB56B730FE415443BB5EB67700F030056E8025F5B5D7241E4ACBD2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061ACE88 Relevance: .0, Instructions: 23COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 585d4017f9cc693b0984ba274c10c7e39030bd249fd7ed23d59c75f6a7e11867
                                                                                                                                    • Instruction ID: 906f8ea0ea4b736f17d1ea8c23261078a6ef390b9a141fe093f93c2a8e8884e8
                                                                                                                                    • Opcode Fuzzy Hash: 585d4017f9cc693b0984ba274c10c7e39030bd249fd7ed23d59c75f6a7e11867
                                                                                                                                    • Instruction Fuzzy Hash: 05E0923010D791EFE762AB20F5419553BB5DF16310B024459D8828B615D6344849C7C0
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AE1FF Relevance: .0, Instructions: 22COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 8f10e4460dd640a9134adee0c6b7f0982850667893054c99419e281512c22ae8
                                                                                                                                    • Instruction ID: 14d20d95c93d946764ad33c00a0b852de65e15e6512b7a85ce76b8837ee279c5
                                                                                                                                    • Opcode Fuzzy Hash: 8f10e4460dd640a9134adee0c6b7f0982850667893054c99419e281512c22ae8
                                                                                                                                    • Instruction Fuzzy Hash: 60E0D871A49244EFCB11CF68E9419DD7BB5DF82301F1041DAE405DB251D5700F15C791
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AAC80 Relevance: .0, Instructions: 20COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: b08486f9886448b0224dce355d3c503130301b5567e9d93407c1dae7fddf4724
                                                                                                                                    • Instruction ID: 2dcbb1ad8f289898974778c8644def53c701478c54da321dacbb5e4aae3d5426
                                                                                                                                    • Opcode Fuzzy Hash: b08486f9886448b0224dce355d3c503130301b5567e9d93407c1dae7fddf4724
                                                                                                                                    • Instruction Fuzzy Hash: 9AD05E3271122D5F8A09376DBC5C8BE7BAFEAC5A62700002AF60BC7240CE695D468BD5
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AE8F8 Relevance: .0, Instructions: 20COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 34998d480ce0ec44c09842e116a15f86a038c4932f2c33d9b0d29874a2a65c6d
                                                                                                                                    • Instruction ID: 36072e3430ab442079d6b3b54002c29ff893bb5c763f67d7b3e6cc5c3e613a44
                                                                                                                                    • Opcode Fuzzy Hash: 34998d480ce0ec44c09842e116a15f86a038c4932f2c33d9b0d29874a2a65c6d
                                                                                                                                    • Instruction Fuzzy Hash: 6DE082392583859FCB129F74C8018557FF8BF5AA1031880CAF6C0CF2B2D232A861EB60
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AB510 Relevance: .0, Instructions: 19COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 937fa788ab6dafcf67c9c8d4a6ed05836d9d4ae58d4b04c9c05a6a26951d3caf
                                                                                                                                    • Instruction ID: 2f5e5cdcb5e399eb8f2f7efa320bfa4443f1bba7ba7eefb6270005043dd77b7d
                                                                                                                                    • Opcode Fuzzy Hash: 937fa788ab6dafcf67c9c8d4a6ed05836d9d4ae58d4b04c9c05a6a26951d3caf
                                                                                                                                    • Instruction Fuzzy Hash: 7DE09275D0020CEFCB40DFE5E9448DEBBB9EB48300F1082AAD909A3200EB306B55DF80
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AE210 Relevance: .0, Instructions: 16COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 7241c1db530e60c89391c4e4e728e5ea83b2e0176c5eb9a14b72bbc5c741236d
                                                                                                                                    • Instruction ID: 5476b57be25ced99a32222aac061080c1939f86d487e5e289e59b44fc1b4d9d2
                                                                                                                                    • Opcode Fuzzy Hash: 7241c1db530e60c89391c4e4e728e5ea83b2e0176c5eb9a14b72bbc5c741236d
                                                                                                                                    • Instruction Fuzzy Hash: 98D01772A04208FF8B44EFA8EA4195DB7B9EF45305F1081A9A409E7210EA316F009B90
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AF8EB Relevance: .0, Instructions: 14COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 1f47c46d96ec36395da32c47a8aebb287e8edae0c59e4f8551d0e0fbffd0bd83
                                                                                                                                    • Instruction ID: 48dbb3c1baa2eefdc3565e995bc624deba087f12d320264be63769c44f42f506
                                                                                                                                    • Opcode Fuzzy Hash: 1f47c46d96ec36395da32c47a8aebb287e8edae0c59e4f8551d0e0fbffd0bd83
                                                                                                                                    • Instruction Fuzzy Hash: 30C012327050200B0688A66C745006D66DB82CCAF3B95412AE60EC3348CD608C8243C4
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061A3721 Relevance: .0, Instructions: 8COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: cb9bb351994725f691c10a10dadf5249f556b098a786fe99c7916e72d712f949
                                                                                                                                    • Instruction ID: 442eb75c8a6bb25cc7ede02c7a056e36d73d5f3ce2c2d42c9b2510413654c754
                                                                                                                                    • Opcode Fuzzy Hash: cb9bb351994725f691c10a10dadf5249f556b098a786fe99c7916e72d712f949
                                                                                                                                    • Instruction Fuzzy Hash: 75C0223AA000000BE3008380B80AFB03FA0A388B00F080000E3828B002C2A000A0CBE2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061ADFD1 Relevance: .0, Instructions: 8COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 661dfd7c4039a1e6a3e8aeea2c7ecec542cde5b8c3511f9644fd9bfc19950966
                                                                                                                                    • Instruction ID: 6bcdfb5e155bd663fa013f664c8b98b42b944daae4c8041ff9024c03f23949ea
                                                                                                                                    • Opcode Fuzzy Hash: 661dfd7c4039a1e6a3e8aeea2c7ecec542cde5b8c3511f9644fd9bfc19950966
                                                                                                                                    • Instruction Fuzzy Hash: CDC09B3555E3D08FEB425B34C80D8453F666F83750B5644DAD281CE077D6654415CBD1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Non-executed Functions

                                                                                                                                    Function 068C4768 Relevance: 2.9, Strings: 2, Instructions: 364COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2213773694.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_68c0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: .$1
                                                                                                                                    • API String ID: 0-1839485796
                                                                                                                                    • Opcode ID: 09ccf0d5846f14df35ef39a6d4829b0c8f19b89da180f5aaf7c318c7c874cc13
                                                                                                                                    • Instruction ID: f6ba0cf0c3ce7048319af25936784bbee0610d46b9e7f951e6c61db1a7e44f50
                                                                                                                                    • Opcode Fuzzy Hash: 09ccf0d5846f14df35ef39a6d4829b0c8f19b89da180f5aaf7c318c7c874cc13
                                                                                                                                    • Instruction Fuzzy Hash: 47F11270E01229CFDB68DF65C894B9DBBB2FF89305F1085A9D50AA7250DB319E85CF60
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 068C1148 Relevance: .4, Instructions: 426COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2213773694.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_68c0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: bd53d15a29ab9874f8f6ad94e401828837757db199ec7d1b9ab9f52852f4e053
                                                                                                                                    • Instruction ID: 787e6857d309a926dd00a30c895799e45b757dcc5204f2c4d9c872ba8569d4e9
                                                                                                                                    • Opcode Fuzzy Hash: bd53d15a29ab9874f8f6ad94e401828837757db199ec7d1b9ab9f52852f4e053
                                                                                                                                    • Instruction Fuzzy Hash: 45228C74D012298FDBA5DF64C994BDDB7B2BF89300F1085EAD549AB251EB309E85CF80
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 068C0DE0 Relevance: .2, Instructions: 190COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2213773694.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_68c0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 278d60bc1b475ad5cd2879dfda138908558e51cf582a976415a84b091c2f1158
                                                                                                                                    • Instruction ID: 7860d9cf29c78d4b68f22d2ac85cf6db09944a410a4ab018aec1615d78e1c386
                                                                                                                                    • Opcode Fuzzy Hash: 278d60bc1b475ad5cd2879dfda138908558e51cf582a976415a84b091c2f1158
                                                                                                                                    • Instruction Fuzzy Hash: 0C910774E00219CFDB64DFA4C984B9DBBB2BF49304F1081A9D549AB351EB34AE89CF51
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AE2C7 Relevance: 46.6, Strings: 37, Instructions: 391COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j
                                                                                                                                    • API String ID: 0-1246243312
                                                                                                                                    • Opcode ID: a4293777791a812bfb0f89e6adbfefb46e0c74b7960fdfcfd6cdc44159261df9
                                                                                                                                    • Instruction ID: 45e19ddfa4ae60ede47a396fb1e3f9ba715d313c0c7241d013f790f12d3ab399
                                                                                                                                    • Opcode Fuzzy Hash: a4293777791a812bfb0f89e6adbfefb46e0c74b7960fdfcfd6cdc44159261df9
                                                                                                                                    • Instruction Fuzzy Hash: FCD1A1313147016BDA09B6A0AD92EADA657FF87300B50483CE1244F7BEDF756D1A83D6
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AE2D8 Relevance: 46.6, Strings: 37, Instructions: 383COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j
                                                                                                                                    • API String ID: 0-1246243312
                                                                                                                                    • Opcode ID: 036d78358bbb8f816db3951dad1d289671497c3ebd478095a41b24f048e555e3
                                                                                                                                    • Instruction ID: 27a983f1c508f5e8f5caaa799712370f50922b136c0808512c87cfb59f31ac8c
                                                                                                                                    • Opcode Fuzzy Hash: 036d78358bbb8f816db3951dad1d289671497c3ebd478095a41b24f048e555e3
                                                                                                                                    • Instruction Fuzzy Hash: 5FD1A0313147016BDA09B6A0AD92EADA657FF87300B50483CE1244F7BEDF756D1A83D6
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061ACC7F Relevance: 16.4, Strings: 13, Instructions: 150COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j
                                                                                                                                    • API String ID: 0-2324958918
                                                                                                                                    • Opcode ID: 0531b4dc9c77ab1dc2e48c1d9eac7b7f95778ef51781a921549fd5c8b8bb5555
                                                                                                                                    • Instruction ID: 995df97458b7e5c9c057cbf117fa75cb1ddf4c8f205e20889b617075267f2e6a
                                                                                                                                    • Opcode Fuzzy Hash: 0531b4dc9c77ab1dc2e48c1d9eac7b7f95778ef51781a921549fd5c8b8bb5555
                                                                                                                                    • Instruction Fuzzy Hash: E041B9323047006BEB09B7A49D82E6DA657FF87300B50483DF2188F6AADF756D0987D6
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061ACC90 Relevance: 16.4, Strings: 13, Instructions: 143COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j
                                                                                                                                    • API String ID: 0-2324958918
                                                                                                                                    • Opcode ID: d8d60b36c53a726a6e9e6b08b89ad0f2959449741a7c95c8e69e94cbd76d5396
                                                                                                                                    • Instruction ID: d27df097ea1ef22d032e3e3afae95f1d155da2d2eb84ab65b16e703c0aa99c90
                                                                                                                                    • Opcode Fuzzy Hash: d8d60b36c53a726a6e9e6b08b89ad0f2959449741a7c95c8e69e94cbd76d5396
                                                                                                                                    • Instruction Fuzzy Hash: 2041B8323047002BEA09B6A4AD82E6DA557FB87300F50483CF2188F6AACF756D0943D6
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061ACED1 Relevance: 10.1, Strings: 8, Instructions: 103COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j
                                                                                                                                    • API String ID: 0-1694311651
                                                                                                                                    • Opcode ID: bdc481c6a10558bdf510feea0700601bd02acce894c0f53b876e63b9c002a9b4
                                                                                                                                    • Instruction ID: e5c972fe7b3a655dc31734531424d40afe5967f10fd8a8b6b899dd4bc7edf64f
                                                                                                                                    • Opcode Fuzzy Hash: bdc481c6a10558bdf510feea0700601bd02acce894c0f53b876e63b9c002a9b4
                                                                                                                                    • Instruction Fuzzy Hash: 4531BB313043016BDB09B6A49D82E6DBA57FB87300F50483DF1148F6AADF756D0587D6
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061ACEE0 Relevance: 10.1, Strings: 8, Instructions: 93COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: D?j$D?j$D?j$D?j$D?j$D?j$D?j$D?j
                                                                                                                                    • API String ID: 0-1694311651
                                                                                                                                    • Opcode ID: 8249f1d122ac50d8ca2ef83cbc2f9f5716f18d0b1af2644325258162bf372d0c
                                                                                                                                    • Instruction ID: 663fec29e296da2d522410785573ffcebcb3d5990b848b035e5ca912cb29e408
                                                                                                                                    • Opcode Fuzzy Hash: 8249f1d122ac50d8ca2ef83cbc2f9f5716f18d0b1af2644325258162bf372d0c
                                                                                                                                    • Instruction Fuzzy Hash: D221CC323143112BEB09B6A49D82E6DA55BFB87300F50483CF1188F7AACF756D0983D6
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AC968 Relevance: 8.8, Strings: 7, Instructions: 88COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: D?j$D?j$D?j$D?j$D?j$D?j$D?j
                                                                                                                                    • API String ID: 0-2878456806
                                                                                                                                    • Opcode ID: 51acb08e0359fe1dad3a93afa86f7aaad5bc84ed6585214117efcfe577429be4
                                                                                                                                    • Instruction ID: 202f5514583c0307de96d48030665a3f1aaf77b11ef64f8d113ae22725002311
                                                                                                                                    • Opcode Fuzzy Hash: 51acb08e0359fe1dad3a93afa86f7aaad5bc84ed6585214117efcfe577429be4
                                                                                                                                    • Instruction Fuzzy Hash: 36318F313086826FDB092BA4AD96D6D7B67FB863017104538F105CF6A9CEB45E4AC782
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AC978 Relevance: 8.8, Strings: 7, Instructions: 83COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: D?j$D?j$D?j$D?j$D?j$D?j$D?j
                                                                                                                                    • API String ID: 0-2878456806
                                                                                                                                    • Opcode ID: 3e0dfe1b21ac95418f02ae4f71fd533f849874019e4862fa161f5644361c7674
                                                                                                                                    • Instruction ID: 8c60fb4e79438d555dfb0fd1e5514e28868f1aab1ccb8c502341b7445bdc72c5
                                                                                                                                    • Opcode Fuzzy Hash: 3e0dfe1b21ac95418f02ae4f71fd533f849874019e4862fa161f5644361c7674
                                                                                                                                    • Instruction Fuzzy Hash: CE2171323046426FDF092BA4ED86C6D775BFB86301B104438F105CF6A9CEB55E4A8B82
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AED10 Relevance: 7.9, Strings: 6, Instructions: 378COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: (_]q$(_]q$(_]q$(_]q$(_]q$(_]q
                                                                                                                                    • API String ID: 0-414434136
                                                                                                                                    • Opcode ID: aa7cab788d0e76b935730f82a5cc973cc56aff8d297d4ce22f4f1264f36fd5aa
                                                                                                                                    • Instruction ID: 3231f63b668cbcf228d5fb449187a315e2cd850c297c7d7e0e4a94fa2ce40e9b
                                                                                                                                    • Opcode Fuzzy Hash: aa7cab788d0e76b935730f82a5cc973cc56aff8d297d4ce22f4f1264f36fd5aa
                                                                                                                                    • Instruction Fuzzy Hash: 8BD19E39A083449FCB459F78C4545AE7FB2EF86340F1484AAE946DB382DB359E06CBD1
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AD538 Relevance: 7.6, Strings: 6, Instructions: 81COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: D?j$D?j$D?j$D?j$D?j$D?j
                                                                                                                                    • API String ID: 0-3746439330
                                                                                                                                    • Opcode ID: f8e7d59bd7dc613a71a5c4fa854b09aef7bbfd94993e5677f88187fa26acd8c5
                                                                                                                                    • Instruction ID: e17c5ab06a438c18ae89843a271d63dbe1a23bf36fc48ee7eea3ee5eddf82f6c
                                                                                                                                    • Opcode Fuzzy Hash: f8e7d59bd7dc613a71a5c4fa854b09aef7bbfd94993e5677f88187fa26acd8c5
                                                                                                                                    • Instruction Fuzzy Hash: 0721D8323043002BE70ABBA59992E5DBA97FB87700F50493DF1148F6AACF756D1983D2
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                    Function 061AD548 Relevance: 7.6, Strings: 6, Instructions: 73COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000004.00000002.2211994796.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_4_2_61a0000_RegAsm.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: D?j$D?j$D?j$D?j$D?j$D?j
                                                                                                                                    • API String ID: 0-3746439330
                                                                                                                                    • Opcode ID: 08498255dca7fddab74ed2a06101e6ffc12502ce0ad5c8b89164be6f1da6a40d
                                                                                                                                    • Instruction ID: c413d59e94439164c3e5dc5db680dcc96cece1d496985a5e64e7eba0873a08cb
                                                                                                                                    • Opcode Fuzzy Hash: 08498255dca7fddab74ed2a06101e6ffc12502ce0ad5c8b89164be6f1da6a40d
                                                                                                                                    • Instruction Fuzzy Hash: B011DB323043102BEA0976A5AD92E6DA65BFB87700F50493CF1148F6AACF766D1983D3
                                                                                                                                    Uniqueness

                                                                                                                                    Uniqueness Score: -1.00%