Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ChromeFIX_errorMEM.exe

Overview

General Information

Sample Name:ChromeFIX_errorMEM.exe
Analysis ID:829699
MD5:74b6b35627f6453d787f1c7ea3b9ec33
SHA1:a9282e204443fed6e0be28e8e2dfe7c927706428
SHA256:51921d13908bd84b1c8fbdd77e6e29d4359ce0fc40857f6f0ad15b1b6ee74730
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains functionality to inject code into remote processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • ChromeFIX_errorMEM.exe (PID: 5764 cmdline: C:\Users\user\Desktop\ChromeFIX_errorMEM.exe MD5: 74B6B35627F6453D787F1C7EA3B9EC33)
    • conhost.exe (PID: 5772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AppLaunch.exe (PID: 5828 cmdline: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
    • WerFault.exe (PID: 5884 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 132 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["135.181.173.163:4323"], "Authorization Header": "a909e2aaecf96137978fea4f86400b9b"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.304460782.0000000000402000.00000020.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000003.240337295.0000000000F82000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          Process Memory Space: AppLaunch.exe PID: 5828JoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Process Memory Space: AppLaunch.exe PID: 5828JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.2.AppLaunch.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                2.2.AppLaunch.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                • 0x1a434:$pat14: , CommandLine:
                • 0x134a2:$v2_1: ListOfProcesses
                • 0x13281:$v4_3: base64str
                • 0x13e05:$v4_4: stringKey
                • 0x11b63:$v4_5: BytesToStringConverted
                • 0x10d76:$v4_6: FromBase64
                • 0x12098:$v4_8: procName
                • 0x12814:$v5_5: FileScanning
                • 0x11d6c:$v5_7: RecordHeaderField
                • 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
                0.3.ChromeFIX_errorMEM.exe.f80000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.3.ChromeFIX_errorMEM.exe.f80000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x1a434:$pat14: , CommandLine:
                  • 0x134a2:$v2_1: ListOfProcesses
                  • 0x13281:$v4_3: base64str
                  • 0x13e05:$v4_4: stringKey
                  • 0x11b63:$v4_5: BytesToStringConverted
                  • 0x10d76:$v4_6: FromBase64
                  • 0x12098:$v4_8: procName
                  • 0x12814:$v5_5: FileScanning
                  • 0x11d6c:$v5_7: RecordHeaderField
                  • 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
                  0.2.ChromeFIX_errorMEM.exe.fd0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    Click to see the 1 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:192.168.2.3135.181.173.1634968543232043233 03/19/23-00:27:09.983730
                    SID:2043233
                    Source Port:49685
                    Destination Port:4323
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:135.181.173.163192.168.2.34323496852043234 03/19/23-00:27:12.062612
                    SID:2043234
                    Source Port:4323
                    Destination Port:49685
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.3135.181.173.1634968543232043231 03/19/23-00:27:21.986883
                    SID:2043231
                    Source Port:49685
                    Destination Port:4323
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for submitted file
                    Source: ChromeFIX_errorMEM.exeReversingLabs: Detection: 38%
                    Source: ChromeFIX_errorMEM.exeVirustotal: Detection: 48%Perma Link
                    Machine Learning detection for sample
                    Source: ChromeFIX_errorMEM.exeJoe Sandbox ML: detected
                    Source: 2.2.AppLaunch.exe.400000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["135.181.173.163:4323"], "Authorization Header": "a909e2aaecf96137978fea4f86400b9b"}
                    Source: ChromeFIX_errorMEM.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: ChromeFIX_errorMEM.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2043233 ET TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.3:49685 -> 135.181.173.163:4323
                    Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.3:49685 -> 135.181.173.163:4323
                    Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 135.181.173.163:4323 -> 192.168.2.3:49685
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 135.181.173.163:4323
                    Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                    Source: global trafficTCP traffic: 192.168.2.3:49685 -> 135.181.173.163:4323
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: AppLaunch.exe, 00000002.00000002.305624677.00000000054C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.ado/1.0/s
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultP
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FC3000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: AppLaunch.exe, 00000002.00000002.305735344.00000000071E2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
                    Source: AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: ChromeFIX_errorMEM.exe, ChromeFIX_errorMEM.exe, 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmp, ChromeFIX_errorMEM.exe, 00000000.00000003.240337295.0000000000F82000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000006FC3000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.304460782.0000000000402000.00000020.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                    Source: AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: AppLaunch.exe, 00000002.00000002.310729821.0000000007FCC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000838E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080C8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007499000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000007FE9000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007148000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008371000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007409000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.000000000702B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000071D5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000804A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: AppLaunch.exe, 00000002.00000002.310729821.0000000007FCC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000838E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080C8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007499000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000007FE9000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007148000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008371000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007409000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.000000000702B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000071D5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000804A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                    Source: AppLaunch.exe, 00000002.00000002.310729821.0000000007FCC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000838E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080C8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007499000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000007FE9000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007148000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008371000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007409000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.000000000702B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000071D5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000804A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                    Source: AppLaunch.exe, 00000002.00000002.310729821.000000000838E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000007FE9000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                    Source: AppLaunch.exe, 00000002.00000002.310729821.0000000007FCC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000838E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080C8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007499000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000007FE9000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007148000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008371000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007409000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.000000000702B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000071D5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000804A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                    Source: AppLaunch.exe, 00000002.00000002.310729821.0000000007FCC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000838E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080C8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007499000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000007FE9000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007148000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008371000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007409000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.000000000702B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000071D5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000804A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.3.ChromeFIX_errorMEM.exe.f80000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.ChromeFIX_errorMEM.exe.fd0000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: ChromeFIX_errorMEM.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.3.ChromeFIX_errorMEM.exe.f80000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.ChromeFIX_errorMEM.exe.fd0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 132
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FDC2920_2_00FDC292
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FDA4800_2_00FDA480
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FD99F80_2_00FD99F8
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FDAB780_2_00FDAB78
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FD87410_2_00FD8741
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FD9F3C0_2_00FD9F3C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0941F7C82_2_0941F7C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0941F3682_2_0941F368
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A58F5502_2_0A58F550
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A585D482_2_0A585D48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A58B3182_2_0A58B318
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A58B3152_2_0A58B315
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A58B3082_2_0A58B308
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A58B30C2_2_0A58B30C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A58E67A2_2_0A58E67A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A58E6882_2_0A58E688
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A58F5412_2_0A58F541
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A5898382_2_0A589838
                    Source: ChromeFIX_errorMEM.exeBinary or memory string: OriginalFilename vs ChromeFIX_errorMEM.exe
                    Source: ChromeFIX_errorMEM.exe, 00000000.00000003.240337295.0000000000F9E000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFrowstiest.exe< vs ChromeFIX_errorMEM.exe
                    Source: ChromeFIX_errorMEM.exe, 00000000.00000000.238359186.000000000100E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOldtimersB vs ChromeFIX_errorMEM.exe
                    Source: ChromeFIX_errorMEM.exe, 00000000.00000002.247812016.000000000100B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFrowstiest.exe< vs ChromeFIX_errorMEM.exe
                    Source: ChromeFIX_errorMEM.exeBinary or memory string: OriginalFilenameOldtimersB vs ChromeFIX_errorMEM.exe
                    Source: ChromeFIX_errorMEM.exeReversingLabs: Detection: 38%
                    Source: ChromeFIX_errorMEM.exeVirustotal: Detection: 48%
                    Source: ChromeFIX_errorMEM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\ChromeFIX_errorMEM.exe C:\Users\user\Desktop\ChromeFIX_errorMEM.exe
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 132
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB77.tmpJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/7@0/1
                    Source: AppLaunch.exe, 00000002.00000002.305735344.000000000726D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007373000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007282000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080EC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000813D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007387000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007304000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000072F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5772:120:WilError_01
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5764
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: ChromeFIX_errorMEM.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FD5A19 push ecx; ret 0_2_00FD5A2C
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FE0709 push es; ret 0_2_00FE0749
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FD7E1C LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_00FD7E1C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5660Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5580Thread sleep count: 2645 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5856Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-5036
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow / User API: threadDelayed 2645Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Amcache.hve.4.drBinary or memory string: VMware
                    Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                    Source: Amcache.hve.4.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
                    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                    Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.4.drBinary or memory string: VMware7,1
                    Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.me
                    Source: Amcache.hve.4.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
                    Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                    Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FD6A64 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00FD6A64
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FD7E1C LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_00FD7E1C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_0100BD54 mov eax, dword ptr fs:[00000030h]0_2_0100BD54
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FDBAC5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00FDBAC5
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FD466F SetUnhandledExceptionFilter,0_2_00FD466F
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FD6A64 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00FD6A64
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FD7594 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00FD7594

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4F25008Jump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5AJump to behavior
                    Contains functionality to inject code into remote processes
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_0100BD89 CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread,0_2_0100BD89
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: GetLocaleInfoA,0_2_00FDC04F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FD5BBC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00FD5BBC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: Amcache.hve.4.drBinary or memory string: c:\users\user\desktop\procexp.exe
                    Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.4.drBinary or memory string: procexp.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.ChromeFIX_errorMEM.exe.f80000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.ChromeFIX_errorMEM.exe.fd0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.304460782.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.240337295.0000000000F82000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5828, type: MEMORYSTR
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5828, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.ChromeFIX_errorMEM.exe.f80000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.ChromeFIX_errorMEM.exe.fd0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.304460782.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.240337295.0000000000F82000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5828, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts221
                    Windows Management Instrumentation                    		Path Interception411
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts2
                    Native API                    		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		LSASS Memory251
                    Security Software Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)241
                    Virtualization/Sandbox Evasion                    		Security Account Manager11
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                    Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)411
                    Process Injection                    		NTDS241
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Obfuscated Files or Information                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
                    Remote System Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync134
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    ChromeFIX_errorMEM.exe38%ReversingLabsWin32.Trojan.CrypterX
                    ChromeFIX_errorMEM.exe49%VirustotalBrowse
                    ChromeFIX_errorMEM.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    2.2.AppLaunch.exe.400000.0.unpack100%AviraHEUR/AGEN.1252166Download File
                    0.3.ChromeFIX_errorMEM.exe.f80000.0.unpack100%AviraHEUR/AGEN.1252166Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                    http://tempuri.org/0%URL Reputationsafe
                    http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id90%URL Reputationsafe
                    http://tempuri.org/Entity/Id80%URL Reputationsafe
                    http://tempuri.org/Entity/Id50%URL Reputationsafe
                    http://tempuri.org/Entity/Id40%URL Reputationsafe
                    http://tempuri.org/Entity/Id70%URL Reputationsafe
                    http://tempuri.org/Entity/Id60%URL Reputationsafe
                    http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                    https://api.ip.sb/ip0%URL Reputationsafe
                    http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id200%URL Reputationsafe
                    http://tempuri.org/Entity/Id210%URL Reputationsafe
                    http://tempuri.org/Entity/Id220%URL Reputationsafe
                    http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id100%URL Reputationsafe
                    http://tempuri.org/Entity/Id110%URL Reputationsafe
                    http://tempuri.org/Entity/Id120%URL Reputationsafe
                    http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id130%URL Reputationsafe
                    http://tempuri.org/Entity/Id140%URL Reputationsafe
                    http://tempuri.org/Entity/Id150%URL Reputationsafe
                    http://tempuri.org/Entity/Id160%URL Reputationsafe
                    http://tempuri.org/Entity/Id170%URL Reputationsafe
                    http://tempuri.org/Entity/Id180%URL Reputationsafe
                    http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id190%URL Reputationsafe
                    http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                    http://ns.ado/1.0/s0%URL Reputationsafe
                    http://tempuri.org/Entity/Id17Response0%URL Reputationsafe
                    135.181.173.163:43230%Avira URL Cloudsafe
                    135.181.173.163:43234%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    135.181.173.163:4323true
                    • 4%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sctAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2004/08/addressing/faultPAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/chrome_newtabAppLaunch.exe, 00000002.00000002.310729821.0000000007FCC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000838E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080C8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007499000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000007FE9000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007148000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008371000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007409000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.000000000702B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000071D5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000804A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/ac/?q=AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id12ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id2ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006FC3000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id21ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id9AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id8AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id5AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id4AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id7AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id6AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id19ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/faultAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsatAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Entity/Id15ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAppLaunch.exe, 00000002.00000002.305735344.0000000006FC3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://tempuri.org/Entity/Id6ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://api.ip.sb/ipChromeFIX_errorMEM.exe, ChromeFIX_errorMEM.exe, 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmp, ChromeFIX_errorMEM.exe, 00000000.00000003.240337295.0000000000F82000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000006FC3000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.304460782.0000000000402000.00000020.00000400.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/04/scAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id9ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id20AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://tempuri.org/Entity/Id21AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://tempuri.org/Entity/Id22AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id1ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=AppLaunch.exe, 00000002.00000002.310729821.0000000007FCC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000838E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080C8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007499000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000007FE9000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007148000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008371000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007409000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.000000000702B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000071D5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000804A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/08/addressingAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/trustAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id10AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id11AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id12AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id16ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id13AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id14AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id15AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id16AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/NonceAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id17AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id18AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id5ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id19AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id10ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RenewAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id8ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2006/02/addressingidentityAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/soap/envelope/AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://search.yahoo.com?fr=crmas_sfpfAppLaunch.exe, 00000002.00000002.310729821.0000000007FCC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000838E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080C8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007499000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000007FE9000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007148000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008371000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007409000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.000000000702B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000071D5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000804A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://ns.ado/1.0/sAppLaunch.exe, 00000002.00000002.305624677.00000000054C6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trustAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/06/addressingexAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wscoorAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/NonceAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/RenewAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://tempuri.org/Entity/Id17ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    		unknown

                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                    Public IPs

                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                    135.181.173.163
                                                                                                                                                    		unknownGermany
                                                                                                                                                    		24940HETZNER-ASDEtrue

                                                                                                                                                    General Information

                                                                                                                                                    Joe Sandbox Version:37.0.0 Beryl
                                                                                                                                                    Analysis ID:829699
                                                                                                                                                    Start date and time:2023-03-19 00:26:07 +01:00
                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                    Overall analysis duration:0h 6m 24s
                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                    Report type:full
                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                    Number of analysed new started processes analysed:16
                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                    Technologies:
                                                                                                                                                    • HCA enabled
                                                                                                                                                    • EGA enabled
                                                                                                                                                    • HDC enabled
                                                                                                                                                    • AMSI enabled
                                                                                                                                                    Analysis Mode:default
                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                    Sample file name:ChromeFIX_errorMEM.exe
                                                                                                                                                    Detection:MAL
                                                                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@5/7@0/1
                                                                                                                                                    EGA Information:
                                                                                                                                                    • Successful, ratio: 50%
                                                                                                                                                    HDC Information:
                                                                                                                                                    • Successful, ratio: 90.7% (good quality ratio 87%)
                                                                                                                                                    • Quality average: 82.8%
                                                                                                                                                    • Quality standard deviation: 25.7%
                                                                                                                                                    HCA Information:
                                                                                                                                                    • Successful, ratio: 96%
                                                                                                                                                    • Number of executed functions: 91
                                                                                                                                                    • Number of non-executed functions: 9
                                                                                                                                                    Cookbook Comments:
                                                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                                                    Warnings

                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 20.189.173.22
                                                                                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, watson.telemetry.microsoft.com
                                                                                                                                                    • Execution Graph export aborted for target AppLaunch.exe, PID 5828 because it is empty
                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                    Simulations

                                                                                                                                                    Behavior and APIs

                                                                                                                                                    TimeTypeDescription
                                                                                                                                                    00:27:01API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                                    00:27:26API Interceptor15x Sleep call for process: AppLaunch.exe modified

                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                    IPs

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                    135.181.173.163file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                      file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                        bYif90DSqE.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                          hDhN07cVJf.exeGet hashmaliciousRedLineBrowse

                                                                                                                                                            Domains

                                                                                                                                                            No context

                                                                                                                                                            ASNs

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                            HETZNER-ASDEpdf_novichki.rarGet hashmaliciousVidarBrowse
                                                                                                                                                            • 116.203.13.130
                                                                                                                                                            setup.exeGet hashmaliciousClipboard Hijacker, Djvu, HTMLPhisher, VidarBrowse
                                                                                                                                                            • 116.203.13.130
                                                                                                                                                            Launcher.exeGet hashmaliciousRHADAMANTHYS, RedLineBrowse
                                                                                                                                                            • 94.130.181.125
                                                                                                                                                            0E0BD47371B5E50FC51F147DC456949F8DB70EC27B644.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                            • 5.75.147.135
                                                                                                                                                            setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                                                                            • 116.203.13.130
                                                                                                                                                            f_00321b.dllGet hashmaliciousEmotetBrowse
                                                                                                                                                            • 95.217.221.146
                                                                                                                                                            f_00321b.dllGet hashmaliciousEmotetBrowse
                                                                                                                                                            • 95.217.221.146
                                                                                                                                                            f_00321b.dllGet hashmaliciousEmotetBrowse
                                                                                                                                                            • 95.217.221.146
                                                                                                                                                            tvfratt.exeGet hashmaliciousAmadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, SmokeLoader, VidarBrowse
                                                                                                                                                            • 116.203.13.130
                                                                                                                                                            installer.exeGet hashmaliciousClipboard Hijacker, Djvu, HTMLPhisher, VidarBrowse
                                                                                                                                                            • 116.203.13.130
                                                                                                                                                            setup.exeGet hashmaliciousClipboard Hijacker, Djvu, HTMLPhisher, VidarBrowse
                                                                                                                                                            • 116.203.13.130
                                                                                                                                                            setup.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                                                                                                                            • 116.203.13.130
                                                                                                                                                            file.exeGet hashmaliciousVidarBrowse
                                                                                                                                                            • 116.203.13.130
                                                                                                                                                            GXA2jht1bf.exeGet hashmaliciousSystemBCBrowse
                                                                                                                                                            • 78.47.64.46
                                                                                                                                                            GXA2jht1bf.exeGet hashmaliciousSystemBCBrowse
                                                                                                                                                            • 78.47.64.46
                                                                                                                                                            Paralysis.x86_64.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                            • 78.47.94.122
                                                                                                                                                            2.bin.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                                                                                                                            • 116.203.13.130
                                                                                                                                                            7rSoC1BfML.exeGet hashmaliciousAmadey, Nymaim, RedLine, SmokeLoader, Stealc, VidarBrowse
                                                                                                                                                            • 148.251.234.83
                                                                                                                                                            https://knowledgeburrow.com/did-benjamin-franklin-really-say-if-you-fail-to-plan-you-are-planning-to-fail/Get hashmaliciousUnknownBrowse
                                                                                                                                                            • 195.201.152.105
                                                                                                                                                            https://megacanabisdispensary.com/Get hashmaliciousGRQ ScamBrowse
                                                                                                                                                            • 95.216.69.114

                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                            No context

                                                                                                                                                            Dropped Files

                                                                                                                                                            No context

                                                                                                                                                            Created / dropped Files

                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ChromeFIX_errorM_b23b12b73ca7fdfaf9d7b6fd85cedf5e91158b2c_eaf10766_16b01441\Report.wer

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):65536
                                                                                                                                                            Entropy (8bit):0.8431639159677459
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:96:aFeMHFau7TeecwtoI7Rj6tpXIQcQvc6QcEDMcw3Db+HbHg/8BRTf3OFL9iVffYEs:QMu7fwHBUZMXYjJSq/u7sWS274ItJz
                                                                                                                                                            MD5:932664183AA0A32C0E1B63E46AA0FFDA
                                                                                                                                                            SHA1:DFD33ECC6A7B5717CDCE2947D4BC682678A35BB7
                                                                                                                                                            SHA-256:731413517DFB42E2D12A6D01BA9A60A14F85A9916A1CB27DD8E97C9CEB9BD63C
                                                                                                                                                            SHA-512:F47A833A117DE80992809E0307A34C0FD5F63D2B0261ECB2F65EC6DB52C5B905776DE066B8AB66C21E71B33030438CADBE994331063941E2DB9C465659D3942B
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:low
                                                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.3.6.8.4.4.1.9.1.8.4.0.5.8.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.3.6.8.4.4.1.9.7.3.0.9.4.9.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.f.2.5.d.5.3.a.-.a.9.1.c.-.4.9.8.6.-.a.a.1.4.-.f.0.a.2.6.e.9.a.1.a.3.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.5.5.1.d.e.3.-.1.7.3.c.-.4.8.a.3.-.8.0.f.5.-.d.e.e.0.3.0.7.c.2.6.0.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.C.h.r.o.m.e.F.I.X._.e.r.r.o.r.M.E.M...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.8.4.-.0.0.0.1.-.0.0.1.f.-.2.0.7.e.-.d.d.2.f.3.4.5.a.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.2.0.4.c.f.7.6.6.2.8.a.2.9.3.7.7.5.9.c.3.b.1.8.0.8.0.e.c.d.3.e.0.0.0.0.1.a.0.8.!.0.0.0.0.a.9.2.8.2.e.2.0.4.4.4.3.f.e.d.6.e.0.b.e.2.8.e.8.e.2.d.f.e.7.c.9.2.7.7.0.6.4.2.8.!.C.h.r.o.m.e.F.I.X._.e.r.r.o.r.M.E.M...e.x.e.

                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERB77.tmp.dmp

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            File Type:Mini DuMP crash report, 14 streams, Sun Mar 19 07:26:59 2023, 0x1205a4 type
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):45376
                                                                                                                                                            Entropy (8bit):1.8124432683259049
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:192:PYNhZ7wO64/9+6J1QxS7obbS4Eu83YQO:o6y+gCJ/Eu8I5
                                                                                                                                                            MD5:41DB3C3E47377B047B1DE1E5FFD5C8BC
                                                                                                                                                            SHA1:88191D097E0AAEA3EDA8E129CD653EC4C576FFC8
                                                                                                                                                            SHA-256:EE0194B9F7BDF480A5581080E7E50708F4936A3AA4E5D9FF89E6699FFD08CBD4
                                                                                                                                                            SHA-512:39892083ACD433A09CFC584E5B28C9B9A23AFB0A802684A66610AC4E07C559DDBEC1DCCF48A5B87FF6171CF188E7169F9C033D4391C41A8DE6FF9046DA6D82F7
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:low
                                                                                                                                                            Preview:MDMP....... .......C..d.........................................)..........T.......8...........T...............@............................................................................................U...........B......h.......GenuineIntelW...........T...........A..d.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA1.tmp.WERInternalMetadata.xml

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):8434
                                                                                                                                                            Entropy (8bit):3.700284113308964
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:192:Rrl7r3GLNiK2646YqASUOMvgmfaxmSxCpr/89blLsf+U3m:RrlsNir646YtSUdgmfrShlQfU
                                                                                                                                                            MD5:63F6B02D4E232F69FC8F56115D6D36E7
                                                                                                                                                            SHA1:8AC18D6573CFE28C82C1DCE437D9C86AC1C7B551
                                                                                                                                                            SHA-256:B32C3C77A4D4EFC30FA5695A2AD1C04D0C7D3675BAA9132C433075F3C753E540
                                                                                                                                                            SHA-512:5064063B7DE8EA497A026C614B521C99CFA64811CEE8A909D8031E27998C6F966006AEF4903722ECE476877F29A3DA823FB77274429DB96E38CDFBF9EFB19CDE
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:low
                                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.6.4.<./.P.i.d.>.......

                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERD10.tmp.xml

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):4756
                                                                                                                                                            Entropy (8bit):4.505325155750122
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:48:cvIwSD8zsrJgtWI9/iVSWgc8sqYjf8fm8M4JA2gGMF6+q8vLgGYOvSWdutItfd:uITfFIiVzgrsqYoJpDKnYAUefd
                                                                                                                                                            MD5:8E71765A94A747E842E3E511ACA1C481
                                                                                                                                                            SHA1:1BCF6F023AEDD246F13084E27DECF3891F65C13D
                                                                                                                                                            SHA-256:5C5939271ACBBAF82A589CCF7307A8C541F1449F556EA5BFE2C37FE2BA36CD29
                                                                                                                                                            SHA-512:B0B682AB135A1272D22A308F847CCB0E5B607B883DAEFAE7B3184EB2C172BE7243FC01E46EE0212DFBDC0D09C8A2653455BF9DCCB8B196E8C90B603DE44DBFCF
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:low
                                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1959397" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):2752
                                                                                                                                                            Entropy (8bit):5.335270411216887
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIWUfHKhBHKdHKBfHK5AHKzvQTHmtHoxHImHKx1qHjq:iqXeqm00YqhQnouOqLqdqNq2qzcGtIx4
                                                                                                                                                            MD5:325ECAAB191D9F741B127964E978A5D3
                                                                                                                                                            SHA1:B5E61B16E9399D102A00613323001CD69AC3E97A
                                                                                                                                                            SHA-256:38B47B7B5BA6D77CED448D8396426AC9B6C722A12F61793D3FD79E3AD1615123
                                                                                                                                                            SHA-512:D5017FC87DA83B8A1B336B3FBF779CB5040F3C0AD4FD4D9D661E7D953C816648D09D24A46B8C3A75F65CE717E237E350F0489EC3491844D791D4AFE2E8368BD4
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                                                                                                                                                            C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1572864
                                                                                                                                                            Entropy (8bit):4.288770781817703
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:12288:XcJvy5zN1sUbP5nASQw0IQYVA17eAVAG1HxbZC30pr1ci+fDDLnbwOzb:Wvy5zN1sUbP5nA6yWX
                                                                                                                                                            MD5:D94238BC69165D83EFA7BFAF027528CE
                                                                                                                                                            SHA1:84D7B17EE2B4E6171B8D500B0CA61531DF6A5DE6
                                                                                                                                                            SHA-256:095DDD91051AF1AD2181EBF7C5874B59944E777880FBC8F10BAB2321AF26C14E
                                                                                                                                                            SHA-512:2CECCA35BD98A5F35FF4D206D073BA02E618F10E94A0C3C47171FE0AD42743B75D288C372066621FF73945D6B453E092CE51CE852D680CC789FE086AC5D2B6C2
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:regfj...j...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.N.04Z...............................................................................................................................................................................................................................................................................................................................................w.m........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                            C:\Windows\appcompat\Programs\Amcache.hve.LOG1

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):28672
                                                                                                                                                            Entropy (8bit):3.8172451480315845
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:768:qCeRftx1sJ4JnHFAJfXqp+pkkqIDSC9OeMYUC5Wf:++im6i
                                                                                                                                                            MD5:7C21FF446BEB27DAE44DA9E1C7DB0C2E
                                                                                                                                                            SHA1:53A45C582CD93E62AB52026AAEECE59C72CA8F6C
                                                                                                                                                            SHA-256:AD4F07B60AA90C2EB8809688E529F537603C98B591E545298CEFB57CAD61EE68
                                                                                                                                                            SHA-512:4583C8355106D5050974D3E6B4F982910F5800DB71F81EF4DB94C2F6D1AFB6405F14F0962B2BF33D0C9DFD25CBDEDF51DE3950A0B5005B4FC203F15E5C1E4799
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview:regfi...i...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.N.04Z...............................................................................................................................................................................................................................................................................................................................................w.mHvLE.n......i....................8.t............0...................0..hbin................p.\..,..........nk,.:..04Z.................................. ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .:..04Z...... ........................... .......Z.......................Root........lf......Root....nk .:..04Z...................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

                                                                                                                                                            Static File Info

                                                                                                                                                            General

                                                                                                                                                            File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                            Entropy (8bit):7.228703310847611
                                                                                                                                                            TrID:
                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                            File name:ChromeFIX_errorMEM.exe
                                                                                                                                                            File size:253952
                                                                                                                                                            MD5:74b6b35627f6453d787f1c7ea3b9ec33
                                                                                                                                                            SHA1:a9282e204443fed6e0be28e8e2dfe7c927706428
                                                                                                                                                            SHA256:51921d13908bd84b1c8fbdd77e6e29d4359ce0fc40857f6f0ad15b1b6ee74730
                                                                                                                                                            SHA512:da3758d999b7a593987aa8e9d708b0b3215a442dc1f3470a81f3ddc221b7875d6c9ecb1c53fce5e7ee795a20e7267d21e8fac804089bb1b65e838c0ed9530996
                                                                                                                                                            SSDEEP:3072:W1jGFFPBsryKxPUBnIZ/C9FUYHwKLLgQmsbVVTjC3r7wcLl2byii5DzrIlu:ug3iPUZIAFUYHDPaQVXC3xR2/iNo
                                                                                                                                                            TLSH:9B441813311F3E60E1FA69B8889DF3865516E3710A6DDB5D73AB0E2E4D09DC39920B36
                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c-.H.C.H.C.H.C.VP..[.C.VP....C.VP..m.C.o.8.L.C.....K.C.H.B...C.Az..I.C.VP..I.C.Az..I.C.RichH.C.........PE..L...jp.d...........

                                                                                                                                                            File Icon

                                                                                                                                                            Icon Hash:00828e8e8686b000

                                                                                                                                                            Static PE Info

                                                                                                                                                            General

                                                                                                                                                            Entrypoint:0x40370b
                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                            Digitally signed:false
                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                            Subsystem:windows cui
                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                            Time Stamp:0x6415706A [Sat Mar 18 08:03:54 2023 UTC]
                                                                                                                                                            TLS Callbacks:
                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                            OS Version Major:5
                                                                                                                                                            OS Version Minor:0
                                                                                                                                                            File Version Major:5
                                                                                                                                                            File Version Minor:0
                                                                                                                                                            Subsystem Version Major:5
                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                            Import Hash:df35d969e1568731b4c070bee6bd7122

                                                                                                                                                            Entrypoint Preview

                                                                                                                                                            Instruction
                                                                                                                                                            call 00007F01BC9D1301h
                                                                                                                                                            jmp 00007F01BC9CECF9h
                                                                                                                                                            mov edi, edi
                                                                                                                                                            push esi
                                                                                                                                                            push 00000001h
                                                                                                                                                            push 0043C3E4h
                                                                                                                                                            mov esi, ecx
                                                                                                                                                            call 00007F01BC9D1381h
                                                                                                                                                            mov dword ptr [esi], 0040D8D4h
                                                                                                                                                            mov eax, esi
                                                                                                                                                            pop esi
                                                                                                                                                            ret
                                                                                                                                                            mov dword ptr [ecx], 0040D8D4h
                                                                                                                                                            jmp 00007F01BC9D13E6h
                                                                                                                                                            mov edi, edi
                                                                                                                                                            push ebp
                                                                                                                                                            mov ebp, esp
                                                                                                                                                            push esi
                                                                                                                                                            mov esi, ecx
                                                                                                                                                            mov dword ptr [esi], 0040D8D4h
                                                                                                                                                            call 00007F01BC9D13D3h
                                                                                                                                                            test byte ptr [ebp+08h], 00000001h
                                                                                                                                                            je 00007F01BC9CEE59h
                                                                                                                                                            push esi
                                                                                                                                                            call 00007F01BC9CFD1Dh
                                                                                                                                                            pop ecx
                                                                                                                                                            mov eax, esi
                                                                                                                                                            pop esi
                                                                                                                                                            pop ebp
                                                                                                                                                            retn 0004h
                                                                                                                                                            mov edi, edi
                                                                                                                                                            push ebp
                                                                                                                                                            mov ebp, esp
                                                                                                                                                            push esi
                                                                                                                                                            push dword ptr [ebp+08h]
                                                                                                                                                            mov esi, ecx
                                                                                                                                                            call 00007F01BC9D1352h
                                                                                                                                                            mov dword ptr [esi], 0040D8D4h
                                                                                                                                                            mov eax, esi
                                                                                                                                                            pop esi
                                                                                                                                                            pop ebp
                                                                                                                                                            retn 0004h
                                                                                                                                                            mov edi, edi
                                                                                                                                                            push ebp
                                                                                                                                                            mov ebp, esp
                                                                                                                                                            sub esp, 0Ch
                                                                                                                                                            jmp 00007F01BC9CEE5Fh
                                                                                                                                                            push dword ptr [ebp+08h]
                                                                                                                                                            call 00007F01BC9D166Bh
                                                                                                                                                            pop ecx
                                                                                                                                                            test eax, eax
                                                                                                                                                            je 00007F01BC9CEE61h
                                                                                                                                                            push dword ptr [ebp+08h]
                                                                                                                                                            call 00007F01BC9D1585h
                                                                                                                                                            pop ecx
                                                                                                                                                            test eax, eax
                                                                                                                                                            je 00007F01BC9CEE38h
                                                                                                                                                            leave
                                                                                                                                                            ret
                                                                                                                                                            test byte ptr [0043D420h], 00000001h
                                                                                                                                                            mov esi, 0043D414h
                                                                                                                                                            jne 00007F01BC9CEE6Bh
                                                                                                                                                            or dword ptr [0043D420h], 01h
                                                                                                                                                            mov ecx, esi
                                                                                                                                                            call 00007F01BC9CEDA9h
                                                                                                                                                            push 0040C9BBh
                                                                                                                                                            call 00007F01BC9D14F2h
                                                                                                                                                            pop ecx
                                                                                                                                                            push esi
                                                                                                                                                            lea ecx, dword ptr [ebp-0Ch]
                                                                                                                                                            call 00007F01BC9DEDE2h

                                                                                                                                                            Rich Headers

                                                                                                                                                            Programming Language:
                                                                                                                                                            • [ASM] VS2008 build 21022
                                                                                                                                                            • [ C ] VS2008 build 21022
                                                                                                                                                            • [C++] VS2008 build 21022
                                                                                                                                                            • [IMP] VS2005 build 50727
                                                                                                                                                            • [C++] VS2008 SP1 build 30729
                                                                                                                                                            • [RES] VS2008 build 21022
                                                                                                                                                            • [LNK] VS2008 SP1 build 30729

                                                                                                                                                            Data Directories

                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xf5f40x50.rdata
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x3e0000x5c8.rsrc
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x3f0000xd44.reloc
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0xd0000x10c.rdata
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                            Sections

                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                            .text0x10000xb9cf0xba00False0.5594758064516129data6.743605377395388IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                            .rdata0xd0000x2c1a0x2e00False0.45541779891304346data5.897601757940328IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                            .data0x100000x2dffc0x2d400False0.5448355490331491data7.176585474224499IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                            .rsrc0x3e0000x5c80x600False0.44921875data3.9110725913804987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                            .reloc0x3f0000x19400x1a00False0.43704927884615385data4.306560145331581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                            Resources

                                                                                                                                                            NameRVASizeTypeLanguageCountry
                                                                                                                                                            RT_VERSION0x3e2000x3c8dataEnglishUnited States
                                                                                                                                                            RT_MANIFEST0x3e0a00x15aASCII text, with CRLF line terminatorsEnglishUnited States

                                                                                                                                                            Imports

                                                                                                                                                            DLLImport
                                                                                                                                                            KERNEL32.dllGetNativeSystemInfo, IsValidCodePage, GetModuleHandleA, FreeConsole, MultiByteToWideChar, GetProcAddress, GetCommandLineA, SetUnhandledExceptionFilter, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetLastError, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapAlloc, RaiseException, GetCPInfo, GetACP, GetOEMCP, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, LeaveCriticalSection, EnterCriticalSection, LoadLibraryA, InitializeCriticalSectionAndSpinCount, VirtualAlloc, HeapReAlloc, RtlUnwind, HeapSize, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA
                                                                                                                                                            USER32.dllShowScrollBar
                                                                                                                                                            COMDLG32.dllGetSaveFileNameA, GetOpenFileNameA

                                                                                                                                                            Possible Origin

                                                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                                                            EnglishUnited States

                                                                                                                                                            Network Behavior

                                                                                                                                                            Snort IDS Alerts

                                                                                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                            192.168.2.3135.181.173.1634968543232043233 03/19/23-00:27:09.983730TCP2043233ET TROJAN RedLine Stealer TCP CnC net.tcp Init496854323192.168.2.3135.181.173.163
                                                                                                                                                            135.181.173.163192.168.2.34323496852043234 03/19/23-00:27:12.062612TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response432349685135.181.173.163192.168.2.3
                                                                                                                                                            192.168.2.3135.181.173.1634968543232043231 03/19/23-00:27:21.986883TCP2043231ET TROJAN Redline Stealer TCP CnC Activity496854323192.168.2.3135.181.173.163

                                                                                                                                                            Network Port Distribution

                                                                                                                                                            TCP Packets

                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                            Mar 19, 2023 00:27:09.580728054 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:09.620574951 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:09.620807886 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:09.983730078 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:10.022506952 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:10.073775053 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:12.021528006 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:12.062612057 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:12.105101109 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:21.986882925 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:22.028717995 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:22.028784037 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:22.028834105 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:22.028870106 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:22.028879881 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:22.028928995 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:22.028963089 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:22.028975964 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:22.029021978 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:22.029045105 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:22.029067993 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:22.029112101 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:22.029135942 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:22.029179096 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:22.029259920 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:22.067349911 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:22.067409039 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:22.067455053 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:22.067471027 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:22.067502022 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:22.067550898 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:22.067560911 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:22.067599058 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:22.067647934 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.756911039 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.795286894 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.795412064 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.795428038 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.795505047 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.795744896 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.795902967 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.833750010 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.833802938 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.833991051 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.834032059 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.834178925 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.834249020 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.834317923 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.872215986 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.872273922 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.872312069 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.872431993 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.872531891 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.872695923 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.872868061 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.872890949 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.873018026 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.873039007 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.873148918 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.873179913 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.873322010 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.873339891 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.873512983 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.873699903 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.873703003 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.873814106 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.874046087 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.874164104 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.911107063 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.911156893 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.911194086 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.911226988 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.911408901 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.911408901 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.911484003 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.911611080 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.911679029 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.911715031 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.911822081 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.911822081 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.911865950 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.911940098 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.912010908 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.912112951 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.912363052 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.912436008 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.912502050 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.912569046 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.912797928 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.912961006 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.912981033 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.913053989 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.913086891 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.913158894 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.913357973 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.913427114 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.913539886 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.913635015 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.913680077 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.913739920 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.913815975 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.913914919 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.949793100 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.949903965 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.950066090 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.950062990 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.950063944 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.950254917 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.950289011 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.950403929 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.950500965 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.950604916 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.950643063 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.950752020 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.950754881 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.950846910 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.950973988 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.951080084 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.951117992 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.951191902 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.951272011 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.951411009 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.951504946 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.951786995 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.951971054 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.952028036 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.952083111 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.988459110 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.988519907 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.988651991 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.988754034 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.988780975 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.988780975 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.988854885 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.988889933 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.988967896 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.989134073 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.989216089 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.989479065 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.989515066 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.989562988 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.989587069 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.989706039 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.989792109 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.989846945 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.989908934 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.989983082 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.990042925 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.990180969 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.990281105 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.990366936 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.990444899 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.990490913 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.990556002 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.990622997 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.990750074 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.990856886 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.990890026 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.990966082 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:27.991034985 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:27.991096020 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.027163029 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.027230024 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.027264118 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.027312040 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.027312040 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.027432919 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.027447939 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.027582884 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.027626038 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.027698040 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.027770996 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.027842045 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.027909994 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.027991056 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.028107882 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.028167963 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.028302908 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.028379917 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.028444052 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.028542042 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.028795004 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.028892994 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.028984070 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.029057026 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.029113054 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.029187918 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.029298067 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.029319048 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.029387951 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.029469967 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.029567003 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.029638052 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.029727936 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.029831886 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.029902935 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.065635920 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.065686941 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.065783978 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.065815926 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.065844059 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.065891981 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.066004992 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.066133022 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.066198111 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.066282034 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.066340923 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.066414118 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.066482067 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.066561937 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.066675901 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.066771030 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.066840887 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.066935062 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.067188025 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.067296028 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.067328930 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.067401886 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.067569971 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.067650080 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.067709923 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.067784071 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.067848921 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.067919970 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.068039894 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.068216085 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.068233967 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.068294048 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.068337917 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.068355083 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.068451881 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.068543911 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.068624020 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.068733931 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.068813086 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.104155064 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.104217052 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.104254961 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.104291916 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.104443073 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.104623079 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.104716063 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.104816914 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.104821920 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.104821920 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.104919910 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.104973078 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.105142117 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.105180025 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.105240107 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.105288982 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.105492115 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.105499983 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.105675936 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.105689049 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.105833054 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.105834961 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.105921030 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.105993032 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.106168985 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.106583118 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.106712103 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.106738091 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.106820107 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.106827974 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.107008934 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.107136965 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.107846975 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.142960072 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.143037081 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.143059015 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.143117905 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.143229008 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.143323898 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.143397093 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.143459082 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.143735886 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.143815994 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.143903971 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.143964052 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.144785881 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.144836903 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.144886017 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.144959927 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.145076990 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.145978928 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.146058083 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.146120071 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.146214008 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.146315098 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.146373034 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.181334019 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.181384087 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.181503057 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.181503057 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.181556940 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.181638002 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.181751013 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.181843042 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.181894064 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.181982040 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.182092905 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.182178020 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.182235003 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.182312965 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.182379007 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.182574034 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.182631969 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.182671070 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.182748079 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.182822943 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.182944059 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.183010101 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.183056116 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.183128119 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.184056044 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.184191942 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.184217930 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.184267044 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.184365034 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.184398890 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.184467077 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.184586048 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.184667110 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.184726954 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.184818983 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.219717026 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.219774961 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.219841003 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.219841003 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.220043898 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.220124006 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.220158100 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.220236063 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.220304012 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.220392942 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.220696926 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.220787048 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.220788956 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.220858097 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.220964909 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.221045971 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.221158981 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.221303940 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.221318007 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.221431017 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.221688032 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.221797943 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.221829891 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.221894979 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.222362995 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.222464085 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.222526073 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.222609997 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.222655058 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.222779989 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.222866058 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.222948074 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.223057985 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.223144054 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.223193884 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.223264933 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.258160114 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.258229971 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.258302927 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.258372068 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.258387089 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.258485079 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.258574009 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.258651972 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.258677959 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.258765936 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.258887053 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.259007931 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.260814905 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.260905981 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.260909081 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.260941029 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.260974884 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.260977030 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.261008978 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.261044025 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.261053085 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.261053085 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.261076927 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.261110067 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.261111975 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.261146069 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.261152029 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.261187077 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.261223078 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.261235952 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.261235952 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.261255980 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.261312008 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.261388063 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.261418104 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.261503935 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.296654940 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.296705961 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.296783924 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.296783924 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.296891928 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.296976089 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.297023058 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.297110081 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.299417019 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.299508095 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.299593925 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.299684048 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.299734116 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.299781084 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.299873114 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.299947977 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.300075054 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.300148964 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.300185919 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.300263882 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.300328016 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.300412893 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.300570965 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.300658941 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.300757885 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.300827026 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.300894022 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.300990105 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.301090002 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.301192045 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.301229000 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.301367044 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.301369905 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.301446915 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.335211992 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.335261106 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.335313082 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                            Mar 19, 2023 00:27:28.337735891 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.337786913 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.338012934 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.338166952 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.338520050 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.338677883 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.338891029 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.339267015 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.339394093 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.339720964 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.339917898 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.340050936 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.340399981 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.373594046 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.435976028 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                            Mar 19, 2023 00:27:28.469144106 CET496854323192.168.2.3135.181.173.163

                                                                                                                                                            Statistics

                                                                                                                                                            CPU Usage

                                                                                                                                                            Click to jump to process

                                                                                                                                                            Memory Usage

                                                                                                                                                            Click to jump to process

                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                            Behavior

                                                                                                                                                            Click to jump to process

                                                                                                                                                            System Behavior

                                                                                                                                                            General

                                                                                                                                                            Target ID:0
                                                                                                                                                            Start time:00:26:57
                                                                                                                                                            Start date:19/03/2023
                                                                                                                                                            Path:C:\Users\user\Desktop\ChromeFIX_errorMEM.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:C:\Users\user\Desktop\ChromeFIX_errorMEM.exe
                                                                                                                                                            Imagebase:0xfd0000
                                                                                                                                                            File size:253952 bytes
                                                                                                                                                            MD5 hash:74B6B35627F6453D787F1C7EA3B9EC33
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Yara matches:
                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.240337295.0000000000F82000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                            Reputation:low

                                                                                                                                                            General

                                                                                                                                                            Target ID:1
                                                                                                                                                            Start time:00:26:57
                                                                                                                                                            Start date:19/03/2023
                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                            Imagebase:0x7ff745070000
                                                                                                                                                            File size:625664 bytes
                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high

                                                                                                                                                            General

                                                                                                                                                            Target ID:2
                                                                                                                                                            Start time:00:26:58
                                                                                                                                                            Start date:19/03/2023
                                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe
                                                                                                                                                            Imagebase:0x40000
                                                                                                                                                            File size:98912 bytes
                                                                                                                                                            MD5 hash:6807F903AC06FF7E1670181378690B22
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                            Yara matches:
                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.304460782.0000000000402000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                            Reputation:high

                                                                                                                                                            General

                                                                                                                                                            Target ID:4
                                                                                                                                                            Start time:00:26:58
                                                                                                                                                            Start date:19/03/2023
                                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 132
                                                                                                                                                            Imagebase:0xf40000
                                                                                                                                                            File size:434592 bytes
                                                                                                                                                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high

                                                                                                                                                            Disassembly

                                                                                                                                                            Reset < >

                                                                                                                                                              Execution Graph

                                                                                                                                                              Execution Coverage:11.2%
                                                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                              Signature Coverage:7.7%
                                                                                                                                                              Total number of Nodes:1359
                                                                                                                                                              Total number of Limit Nodes:12
                                                                                                                                                              execution_graph 6316 fd39be 6319 fd397c 6316->6319 6320 fd398f 6319->6320 6321 fd39a8 6319->6321 6325 fd6d72 6320->6325 6332 fd6e1a 6321->6332 6324 fd3998 6326 fd37e4 _LocaleUpdate::_LocaleUpdate 77 API calls 6325->6326 6327 fd6d98 6326->6327 6339 fda480 6327->6339 6329 fd6db0 __ld12tod 6330 fd7594 ___mtold12 5 API calls 6329->6330 6331 fd6e18 6330->6331 6331->6324 6333 fd37e4 _LocaleUpdate::_LocaleUpdate 77 API calls 6332->6333 6334 fd6e40 6333->6334 6335 fda480 ___strgtold12_l 67 API calls 6334->6335 6336 fd6e58 __ld12tod 6335->6336 6337 fd7594 ___mtold12 5 API calls 6336->6337 6338 fd6ec0 6337->6338 6338->6324 6340 fda4cb 6339->6340 6346 fda4ea 6339->6346 6341 fd7375 _strcpy_s 67 API calls 6340->6341 6342 fda4d0 6341->6342 6343 fd6b8c _strcpy_s 6 API calls 6342->6343 6348 fda4e0 6343->6348 6344 fd7594 ___mtold12 5 API calls 6345 fdab45 6344->6345 6345->6329 6346->6348 6349 fdc292 6346->6349 6348->6344 6350 fdc2c4 6349->6350 6351 fd7594 ___mtold12 5 API calls 6350->6351 6352 fdc45e 6351->6352 6352->6348 4999 fd35b9 5000 fd35c5 __freefls@4 4999->5000 5034 fd59a1 HeapCreate 5000->5034 5003 fd3622 5036 fd5814 GetModuleHandleW 5003->5036 5007 fd3633 __RTC_Initialize 5070 fd5164 5007->5070 5008 fd3590 67 API calls 5008->5007 5010 fd3642 5011 fd364e GetCommandLineA 5010->5011 5153 fd46ad 5010->5153 5085 fd502d 5011->5085 5018 fd46ad __amsg_exit 67 API calls 5020 fd3673 5018->5020 5122 fd4cfa 5020->5122 5022 fd3684 5137 fd476c 5022->5137 5024 fd46ad __amsg_exit 67 API calls 5024->5022 5025 fd368c 5026 fd3697 5025->5026 5027 fd46ad __amsg_exit 67 API calls 5025->5027 5143 fd2d90 ShowScrollBar 5026->5143 5027->5026 5029 fd36b4 5030 fd36c6 5029->5030 5160 fd491d 5029->5160 5163 fd4949 5030->5163 5033 fd36cb __freefls@4 5035 fd3616 5034->5035 5035->5003 5145 fd3590 5035->5145 5037 fd582f 5036->5037 5038 fd5828 5036->5038 5039 fd5839 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 5037->5039 5040 fd5997 5037->5040 5166 fd467d 5038->5166 5042 fd5882 TlsAlloc 5039->5042 5227 fd552e 5040->5227 5046 fd3628 5042->5046 5047 fd58d0 TlsSetValue 5042->5047 5046->5007 5046->5008 5047->5046 5048 fd58e1 5047->5048 5170 fd4967 5048->5170 5053 fd5404 __encode_pointer 7 API calls 5054 fd5901 5053->5054 5055 fd5404 __encode_pointer 7 API calls 5054->5055 5056 fd5911 5055->5056 5057 fd5404 __encode_pointer 7 API calls 5056->5057 5058 fd5921 5057->5058 5189 fd787c 5058->5189 5065 fd547f __decode_pointer 6 API calls 5066 fd5975 5065->5066 5066->5040 5067 fd597c 5066->5067 5209 fd556b 5067->5209 5069 fd5984 GetCurrentThreadId 5069->5046 5555 fd59d4 5070->5555 5072 fd5170 GetStartupInfoA 5073 fd813e __calloc_crt 67 API calls 5072->5073 5081 fd5191 5073->5081 5074 fd53af __freefls@4 5074->5010 5075 fd532c GetStdHandle 5080 fd52f6 5075->5080 5076 fd5391 SetHandleCount 5076->5074 5077 fd813e __calloc_crt 67 API calls 5077->5081 5078 fd533e GetFileType 5078->5080 5079 fd5279 5079->5074 5079->5080 5083 fd52a2 GetFileType 5079->5083 5084 fd7dbc __mtinitlocknum InitializeCriticalSectionAndSpinCount 5079->5084 5080->5074 5080->5075 5080->5076 5080->5078 5082 fd7dbc __mtinitlocknum InitializeCriticalSectionAndSpinCount 5080->5082 5081->5074 5081->5077 5081->5079 5081->5080 5082->5080 5083->5079 5084->5079 5086 fd506a 5085->5086 5087 fd504b GetEnvironmentStringsW 5085->5087 5089 fd5053 5086->5089 5090 fd5103 5086->5090 5088 fd505f GetLastError 5087->5088 5087->5089 5088->5086 5092 fd5086 GetEnvironmentStringsW 5089->5092 5095 fd5095 5089->5095 5091 fd510c GetEnvironmentStrings 5090->5091 5093 fd365e 5090->5093 5091->5093 5094 fd511c 5091->5094 5092->5093 5092->5095 5111 fd4f72 5093->5111 5099 fd80f9 __malloc_crt 67 API calls 5094->5099 5095->5095 5096 fd50aa WideCharToMultiByte 5095->5096 5097 fd50c9 5096->5097 5098 fd50f8 FreeEnvironmentStringsW 5096->5098 5100 fd80f9 __malloc_crt 67 API calls 5097->5100 5098->5093 5101 fd5136 5099->5101 5102 fd50cf 5100->5102 5103 fd513d FreeEnvironmentStringsA 5101->5103 5104 fd5149 5101->5104 5102->5098 5105 fd50d7 WideCharToMultiByte 5102->5105 5103->5093 5556 fd3220 5104->5556 5107 fd50e9 5105->5107 5108 fd50f1 5105->5108 5110 fd77a4 __freefls@4 67 API calls 5107->5110 5108->5098 5110->5108 5112 fd4f8c GetModuleFileNameA 5111->5112 5113 fd4f87 5111->5113 5114 fd4fb3 5112->5114 5566 fd6712 5113->5566 5560 fd4dd8 5114->5560 5117 fd3668 5117->5018 5117->5020 5119 fd80f9 __malloc_crt 67 API calls 5120 fd4ff5 5119->5120 5120->5117 5121 fd4dd8 _parse_cmdline 77 API calls 5120->5121 5121->5117 5123 fd4d03 5122->5123 5126 fd4d08 _strlen 5122->5126 5125 fd6712 ___initmbctable 111 API calls 5123->5125 5124 fd3679 5124->5022 5124->5024 5125->5126 5126->5124 5127 fd813e __calloc_crt 67 API calls 5126->5127 5128 fd4d3d _strlen 5127->5128 5128->5124 5129 fd4d9b 5128->5129 5131 fd813e __calloc_crt 67 API calls 5128->5131 5132 fd4dc1 5128->5132 5134 fd72cb _strcpy_s 67 API calls 5128->5134 5135 fd4d82 5128->5135 5130 fd77a4 __freefls@4 67 API calls 5129->5130 5130->5124 5131->5128 5133 fd77a4 __freefls@4 67 API calls 5132->5133 5133->5124 5134->5128 5135->5128 5136 fd6a64 __invoke_watson 10 API calls 5135->5136 5136->5135 5138 fd477a __IsNonwritableInCurrentImage 5137->5138 5977 fd4346 5138->5977 5140 fd4798 __initterm_e 5142 fd47b7 __IsNonwritableInCurrentImage __initterm 5140->5142 5981 fd5e68 5140->5981 5142->5025 5144 fd3187 5143->5144 5144->5029 5146 fd359e 5145->5146 5147 fd35a3 5145->5147 5148 fd4b60 __FF_MSGBANNER 67 API calls 5146->5148 5149 fd49b5 __NMSG_WRITE 67 API calls 5147->5149 5148->5147 5150 fd35ab 5149->5150 5151 fd4701 _malloc 3 API calls 5150->5151 5152 fd35b5 5151->5152 5152->5003 5154 fd4b60 __FF_MSGBANNER 67 API calls 5153->5154 5155 fd46b7 5154->5155 5156 fd49b5 __NMSG_WRITE 67 API calls 5155->5156 5157 fd46bf 5156->5157 5158 fd547f __decode_pointer 6 API calls 5157->5158 5159 fd364d 5158->5159 5159->5011 6082 fd47f1 5160->6082 5162 fd492e 5162->5030 5164 fd47f1 _doexit 67 API calls 5163->5164 5165 fd4954 5164->5165 5165->5033 5167 fd4688 Sleep GetModuleHandleW 5166->5167 5168 fd46aa 5167->5168 5169 fd46a6 5167->5169 5168->5037 5169->5167 5169->5168 5238 fd5476 5170->5238 5172 fd496f __init_pointers __initp_misc_winsig 5241 fd786b 5172->5241 5175 fd5404 __encode_pointer 7 API calls 5176 fd49ab 5175->5176 5177 fd5404 TlsGetValue 5176->5177 5178 fd543d GetModuleHandleW 5177->5178 5179 fd541c 5177->5179 5180 fd544d 5178->5180 5181 fd5458 GetProcAddress 5178->5181 5179->5178 5182 fd5426 TlsGetValue 5179->5182 5183 fd467d __crt_waiting_on_module_handle 2 API calls 5180->5183 5188 fd5435 5181->5188 5187 fd5431 5182->5187 5184 fd5453 5183->5184 5184->5181 5186 fd5470 5184->5186 5185 fd5468 RtlEncodePointer 5185->5186 5186->5053 5187->5178 5187->5188 5188->5185 5188->5186 5190 fd7887 5189->5190 5192 fd592e 5190->5192 5244 fd7dbc 5190->5244 5192->5040 5193 fd547f TlsGetValue 5192->5193 5194 fd54b8 GetModuleHandleW 5193->5194 5195 fd5497 5193->5195 5196 fd54c8 5194->5196 5197 fd54d3 GetProcAddress 5194->5197 5195->5194 5198 fd54a1 TlsGetValue 5195->5198 5199 fd467d __crt_waiting_on_module_handle 2 API calls 5196->5199 5200 fd54b0 5197->5200 5202 fd54ac 5198->5202 5201 fd54ce 5199->5201 5200->5040 5203 fd813e 5200->5203 5201->5197 5201->5200 5202->5194 5202->5200 5205 fd8147 5203->5205 5206 fd595b 5205->5206 5207 fd8165 Sleep 5205->5207 5249 fdbbdc 5205->5249 5206->5040 5206->5065 5208 fd817a 5207->5208 5208->5205 5208->5206 5534 fd59d4 5209->5534 5211 fd5577 GetModuleHandleW 5212 fd558d 5211->5212 5213 fd5587 5211->5213 5214 fd55c9 5212->5214 5215 fd55a5 GetProcAddress GetProcAddress 5212->5215 5216 fd467d __crt_waiting_on_module_handle 2 API calls 5213->5216 5217 fd79f8 __lock 63 API calls 5214->5217 5215->5214 5216->5212 5218 fd55e8 InterlockedIncrement 5217->5218 5535 fd5640 5218->5535 5221 fd79f8 __lock 63 API calls 5222 fd5609 5221->5222 5538 fd6879 InterlockedIncrement 5222->5538 5224 fd5627 5550 fd5649 5224->5550 5226 fd5634 __freefls@4 5226->5069 5228 fd5538 5227->5228 5232 fd5544 5227->5232 5231 fd547f __decode_pointer 6 API calls 5228->5231 5229 fd5558 TlsFree 5230 fd5566 5229->5230 5233 fd78e3 DeleteCriticalSection 5230->5233 5234 fd78fb 5230->5234 5231->5232 5232->5229 5232->5230 5235 fd77a4 __freefls@4 67 API calls 5233->5235 5236 fd790d DeleteCriticalSection 5234->5236 5237 fd791b 5234->5237 5235->5230 5236->5234 5237->5046 5239 fd5404 __encode_pointer 7 API calls 5238->5239 5240 fd547d 5239->5240 5240->5172 5242 fd5404 __encode_pointer 7 API calls 5241->5242 5243 fd49a1 5242->5243 5243->5175 5248 fd59d4 5244->5248 5246 fd7dc8 InitializeCriticalSectionAndSpinCount 5247 fd7e0c __freefls@4 5246->5247 5247->5190 5248->5246 5250 fdbbe8 __freefls@4 5249->5250 5251 fdbc1f _memset 5250->5251 5252 fdbc00 5250->5252 5256 fdbc91 RtlAllocateHeap 5251->5256 5257 fdbc15 __freefls@4 5251->5257 5268 fd79f8 5251->5268 5275 fd8a22 5251->5275 5281 fdbcd8 5251->5281 5284 fd5fa7 5251->5284 5262 fd7375 5252->5262 5256->5251 5257->5205 5287 fd5652 GetLastError 5262->5287 5264 fd737a 5265 fd6b8c 5264->5265 5266 fd547f __decode_pointer 6 API calls 5265->5266 5267 fd6b9c __invoke_watson 5266->5267 5269 fd7a0d 5268->5269 5270 fd7a20 EnterCriticalSection 5268->5270 5329 fd7935 5269->5329 5270->5251 5272 fd7a13 5272->5270 5273 fd46ad __amsg_exit 66 API calls 5272->5273 5274 fd7a1f 5273->5274 5274->5270 5277 fd8a50 5275->5277 5276 fd8ae9 5280 fd8af2 5276->5280 5529 fd8639 5276->5529 5277->5276 5277->5280 5522 fd8589 5277->5522 5280->5251 5533 fd791e LeaveCriticalSection 5281->5533 5283 fdbcdf 5283->5251 5285 fd547f __decode_pointer 6 API calls 5284->5285 5286 fd5fb7 5285->5286 5286->5251 5301 fd54fa TlsGetValue 5287->5301 5289 fd56bf SetLastError 5289->5264 5291 fd813e __calloc_crt 64 API calls 5292 fd567d 5291->5292 5292->5289 5293 fd547f __decode_pointer 6 API calls 5292->5293 5294 fd5697 5293->5294 5295 fd569e 5294->5295 5296 fd56b6 5294->5296 5298 fd556b __mtinit 64 API calls 5295->5298 5306 fd77a4 5296->5306 5299 fd56a6 GetCurrentThreadId 5298->5299 5299->5289 5300 fd56bc 5300->5289 5302 fd550f 5301->5302 5303 fd552a 5301->5303 5304 fd547f __decode_pointer 6 API calls 5302->5304 5303->5289 5303->5291 5305 fd551a TlsSetValue 5304->5305 5305->5303 5308 fd77b0 __freefls@4 5306->5308 5307 fd7829 _realloc __freefls@4 5307->5300 5308->5307 5310 fd79f8 __lock 65 API calls 5308->5310 5318 fd77ef 5308->5318 5309 fd7804 HeapFree 5309->5307 5311 fd7816 5309->5311 5314 fd77c7 ___sbh_find_block 5310->5314 5312 fd7375 _strcpy_s 65 API calls 5311->5312 5313 fd781b GetLastError 5312->5313 5313->5307 5315 fd77e1 5314->5315 5319 fd8273 5314->5319 5325 fd77fa 5315->5325 5318->5307 5318->5309 5320 fd82b2 5319->5320 5324 fd8554 __cftoe2_l 5319->5324 5321 fd849e VirtualFree 5320->5321 5320->5324 5322 fd8502 5321->5322 5323 fd8511 VirtualFree HeapFree 5322->5323 5322->5324 5323->5324 5324->5315 5328 fd791e LeaveCriticalSection 5325->5328 5327 fd7801 5327->5318 5328->5327 5330 fd7941 __freefls@4 5329->5330 5331 fd7967 5330->5331 5355 fd4b60 5330->5355 5337 fd7977 __freefls@4 5331->5337 5401 fd80f9 5331->5401 5337->5272 5339 fd7989 5343 fd7375 _strcpy_s 67 API calls 5339->5343 5340 fd7998 5341 fd79f8 __lock 67 API calls 5340->5341 5344 fd799f 5341->5344 5343->5337 5345 fd79a7 5344->5345 5346 fd79d3 5344->5346 5347 fd7dbc __mtinitlocknum InitializeCriticalSectionAndSpinCount 5345->5347 5348 fd77a4 __freefls@4 67 API calls 5346->5348 5349 fd79b2 5347->5349 5354 fd79c4 5348->5354 5351 fd77a4 __freefls@4 67 API calls 5349->5351 5349->5354 5352 fd79be 5351->5352 5353 fd7375 _strcpy_s 67 API calls 5352->5353 5353->5354 5407 fd79ef 5354->5407 5410 fd80ae 5355->5410 5358 fd4b74 5360 fd49b5 __NMSG_WRITE 67 API calls 5358->5360 5362 fd4b96 5358->5362 5359 fd80ae __set_error_mode 67 API calls 5359->5358 5361 fd4b8c 5360->5361 5363 fd49b5 __NMSG_WRITE 67 API calls 5361->5363 5364 fd49b5 5362->5364 5363->5362 5365 fd49c9 5364->5365 5366 fd80ae __set_error_mode 64 API calls 5365->5366 5397 fd4b24 5365->5397 5367 fd49eb 5366->5367 5368 fd4b29 GetStdHandle 5367->5368 5370 fd80ae __set_error_mode 64 API calls 5367->5370 5369 fd4b37 _strlen 5368->5369 5368->5397 5373 fd4b50 WriteFile 5369->5373 5369->5397 5371 fd49fc 5370->5371 5371->5368 5372 fd4a0e 5371->5372 5372->5397 5416 fd72cb 5372->5416 5373->5397 5376 fd4a44 GetModuleFileNameA 5378 fd4a62 5376->5378 5383 fd4a85 _strlen 5376->5383 5380 fd72cb _strcpy_s 64 API calls 5378->5380 5381 fd4a72 5380->5381 5381->5383 5384 fd6a64 __invoke_watson 10 API calls 5381->5384 5382 fd4ac8 5441 fd7f85 5382->5441 5383->5382 5432 fd7ff9 5383->5432 5384->5383 5389 fd4aec 5390 fd7f85 _strcat_s 64 API calls 5389->5390 5392 fd4b00 5390->5392 5391 fd6a64 __invoke_watson 10 API calls 5391->5389 5394 fd4b11 5392->5394 5395 fd6a64 __invoke_watson 10 API calls 5392->5395 5393 fd6a64 __invoke_watson 10 API calls 5393->5382 5450 fd7e1c 5394->5450 5395->5394 5398 fd4701 5397->5398 5488 fd46d6 GetModuleHandleW 5398->5488 5404 fd8102 5401->5404 5403 fd7982 5403->5339 5403->5340 5404->5403 5405 fd8119 Sleep 5404->5405 5491 fd5ece 5404->5491 5406 fd812e 5405->5406 5406->5403 5406->5404 5521 fd791e LeaveCriticalSection 5407->5521 5409 fd79f6 5409->5337 5412 fd80bd 5410->5412 5411 fd4b67 5411->5358 5411->5359 5412->5411 5413 fd7375 _strcpy_s 67 API calls 5412->5413 5414 fd80e0 5413->5414 5415 fd6b8c _strcpy_s 6 API calls 5414->5415 5415->5411 5417 fd72dc 5416->5417 5418 fd72e3 5416->5418 5417->5418 5421 fd7309 5417->5421 5419 fd7375 _strcpy_s 67 API calls 5418->5419 5420 fd72e8 5419->5420 5422 fd6b8c _strcpy_s 6 API calls 5420->5422 5423 fd4a30 5421->5423 5424 fd7375 _strcpy_s 67 API calls 5421->5424 5422->5423 5423->5376 5425 fd6a64 5423->5425 5424->5420 5477 fd7690 5425->5477 5427 fd6a91 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 5428 fd6b6d GetCurrentProcess TerminateProcess 5427->5428 5430 fd6b61 __invoke_watson 5427->5430 5479 fd7594 5428->5479 5430->5428 5431 fd4a41 5431->5376 5435 fd800b 5432->5435 5433 fd800f 5434 fd7375 _strcpy_s 67 API calls 5433->5434 5436 fd4ab5 5433->5436 5440 fd802b 5434->5440 5435->5433 5435->5436 5438 fd8055 5435->5438 5436->5382 5436->5393 5437 fd6b8c _strcpy_s 6 API calls 5437->5436 5438->5436 5439 fd7375 _strcpy_s 67 API calls 5438->5439 5439->5440 5440->5437 5442 fd7f9d 5441->5442 5444 fd7f96 5441->5444 5443 fd7375 _strcpy_s 67 API calls 5442->5443 5449 fd7fa2 5443->5449 5444->5442 5446 fd7fd1 5444->5446 5445 fd6b8c _strcpy_s 6 API calls 5447 fd4adb 5445->5447 5446->5447 5448 fd7375 _strcpy_s 67 API calls 5446->5448 5447->5389 5447->5391 5448->5449 5449->5445 5451 fd5476 _raise 7 API calls 5450->5451 5452 fd7e2c 5451->5452 5453 fd7e3f LoadLibraryA 5452->5453 5456 fd7ec7 5452->5456 5454 fd7f69 5453->5454 5455 fd7e54 GetProcAddress 5453->5455 5454->5397 5455->5454 5457 fd7e6a 5455->5457 5459 fd547f __decode_pointer 6 API calls 5456->5459 5474 fd7ef1 5456->5474 5460 fd5404 __encode_pointer 7 API calls 5457->5460 5458 fd547f __decode_pointer 6 API calls 5467 fd7f34 5458->5467 5462 fd7ee4 5459->5462 5463 fd7e70 GetProcAddress 5460->5463 5461 fd547f __decode_pointer 6 API calls 5461->5454 5464 fd547f __decode_pointer 6 API calls 5462->5464 5465 fd5404 __encode_pointer 7 API calls 5463->5465 5464->5474 5466 fd7e85 GetProcAddress 5465->5466 5468 fd5404 __encode_pointer 7 API calls 5466->5468 5471 fd547f __decode_pointer 6 API calls 5467->5471 5473 fd7f1c 5467->5473 5469 fd7e9a GetProcAddress 5468->5469 5470 fd5404 __encode_pointer 7 API calls 5469->5470 5472 fd7eaf 5470->5472 5471->5473 5472->5456 5475 fd7eb9 GetProcAddress 5472->5475 5473->5461 5474->5458 5474->5473 5476 fd5404 __encode_pointer 7 API calls 5475->5476 5476->5456 5478 fd769c __VEC_memzero 5477->5478 5478->5427 5480 fd759c 5479->5480 5481 fd759e IsDebuggerPresent 5479->5481 5480->5431 5487 fd9900 5481->5487 5484 fdb569 SetUnhandledExceptionFilter UnhandledExceptionFilter 5485 fdb58e GetCurrentProcess TerminateProcess 5484->5485 5486 fdb586 __invoke_watson 5484->5486 5485->5431 5486->5485 5487->5484 5489 fd46fa ExitProcess 5488->5489 5490 fd46ea GetProcAddress 5488->5490 5490->5489 5492 fd5f81 5491->5492 5502 fd5ee0 5491->5502 5493 fd5fa7 _malloc 6 API calls 5492->5493 5494 fd5f87 5493->5494 5495 fd7375 _strcpy_s 66 API calls 5494->5495 5508 fd5f79 5495->5508 5496 fd4b60 __FF_MSGBANNER 66 API calls 5499 fd5ef1 5496->5499 5498 fd49b5 __NMSG_WRITE 66 API calls 5498->5499 5499->5496 5499->5498 5501 fd4701 _malloc 3 API calls 5499->5501 5499->5502 5500 fd5f3d RtlAllocateHeap 5500->5502 5501->5499 5502->5499 5502->5500 5503 fd5f6d 5502->5503 5504 fd5fa7 _malloc 6 API calls 5502->5504 5506 fd5f72 5502->5506 5502->5508 5509 fd5e7f 5502->5509 5505 fd7375 _strcpy_s 66 API calls 5503->5505 5504->5502 5505->5506 5507 fd7375 _strcpy_s 66 API calls 5506->5507 5507->5508 5508->5404 5510 fd5e8b __freefls@4 5509->5510 5511 fd5ebc __freefls@4 5510->5511 5512 fd79f8 __lock 67 API calls 5510->5512 5511->5502 5513 fd5ea1 5512->5513 5514 fd8a22 ___sbh_alloc_block 5 API calls 5513->5514 5515 fd5eac 5514->5515 5517 fd5ec5 5515->5517 5520 fd791e LeaveCriticalSection 5517->5520 5519 fd5ecc 5519->5511 5520->5519 5521->5409 5523 fd859c HeapReAlloc 5522->5523 5524 fd85d0 HeapAlloc 5522->5524 5525 fd85be 5523->5525 5526 fd85ba 5523->5526 5524->5526 5527 fd85f3 VirtualAlloc 5524->5527 5525->5524 5526->5276 5527->5526 5528 fd860d HeapFree 5527->5528 5528->5526 5530 fd8650 VirtualAlloc 5529->5530 5532 fd8697 5530->5532 5532->5280 5533->5283 5534->5211 5553 fd791e LeaveCriticalSection 5535->5553 5537 fd5602 5537->5221 5539 fd689a 5538->5539 5540 fd6897 InterlockedIncrement 5538->5540 5541 fd68a4 InterlockedIncrement 5539->5541 5542 fd68a7 5539->5542 5540->5539 5541->5542 5543 fd68b4 5542->5543 5544 fd68b1 InterlockedIncrement 5542->5544 5545 fd68be InterlockedIncrement 5543->5545 5547 fd68c1 5543->5547 5544->5543 5545->5547 5546 fd68da InterlockedIncrement 5546->5547 5547->5546 5548 fd68ea InterlockedIncrement 5547->5548 5549 fd68f5 InterlockedIncrement 5547->5549 5548->5547 5549->5224 5554 fd791e LeaveCriticalSection 5550->5554 5552 fd5650 5552->5226 5553->5537 5554->5552 5555->5072 5557 fd3238 5556->5557 5558 fd3267 FreeEnvironmentStringsA 5557->5558 5559 fd325f __VEC_memcpy 5557->5559 5558->5093 5559->5558 5562 fd4df7 5560->5562 5564 fd4e64 5562->5564 5570 fd822b 5562->5570 5563 fd4f62 5563->5117 5563->5119 5564->5563 5565 fd822b 77 API calls _parse_cmdline 5564->5565 5565->5564 5567 fd671b 5566->5567 5569 fd6722 5566->5569 5792 fd6578 5567->5792 5569->5112 5573 fd81d8 5570->5573 5576 fd37e4 5573->5576 5577 fd3844 5576->5577 5578 fd37f7 5576->5578 5577->5562 5584 fd56cb 5578->5584 5581 fd3824 5581->5577 5604 fd6273 5581->5604 5585 fd5652 __getptd_noexit 67 API calls 5584->5585 5586 fd56d3 5585->5586 5587 fd46ad __amsg_exit 67 API calls 5586->5587 5588 fd37fc 5586->5588 5587->5588 5588->5581 5589 fd69df 5588->5589 5590 fd69eb __freefls@4 5589->5590 5591 fd56cb __getptd 67 API calls 5590->5591 5592 fd69f0 5591->5592 5593 fd6a1e 5592->5593 5595 fd6a02 5592->5595 5594 fd79f8 __lock 67 API calls 5593->5594 5597 fd6a25 5594->5597 5596 fd56cb __getptd 67 API calls 5595->5596 5600 fd6a07 5596->5600 5620 fd69a1 5597->5620 5601 fd6a15 __freefls@4 5600->5601 5603 fd46ad __amsg_exit 67 API calls 5600->5603 5601->5581 5603->5601 5605 fd627f __freefls@4 5604->5605 5606 fd56cb __getptd 67 API calls 5605->5606 5607 fd6284 5606->5607 5608 fd79f8 __lock 67 API calls 5607->5608 5609 fd6296 5607->5609 5610 fd62b4 5608->5610 5612 fd62a4 __freefls@4 5609->5612 5616 fd46ad __amsg_exit 67 API calls 5609->5616 5611 fd62fd 5610->5611 5613 fd62cb InterlockedDecrement 5610->5613 5614 fd62e5 InterlockedIncrement 5610->5614 5788 fd630e 5611->5788 5612->5577 5613->5614 5617 fd62d6 5613->5617 5614->5611 5616->5612 5617->5614 5618 fd77a4 __freefls@4 67 API calls 5617->5618 5619 fd62e4 5618->5619 5619->5614 5621 fd69a5 5620->5621 5627 fd69d7 5620->5627 5622 fd6879 ___addlocaleref 8 API calls 5621->5622 5621->5627 5623 fd69b8 5622->5623 5623->5627 5631 fd6908 5623->5631 5628 fd6a49 5627->5628 5787 fd791e LeaveCriticalSection 5628->5787 5630 fd6a50 5630->5600 5632 fd699c 5631->5632 5633 fd6919 InterlockedDecrement 5631->5633 5632->5627 5645 fd6730 5632->5645 5634 fd692e InterlockedDecrement 5633->5634 5635 fd6931 5633->5635 5634->5635 5636 fd693e 5635->5636 5637 fd693b InterlockedDecrement 5635->5637 5638 fd6948 InterlockedDecrement 5636->5638 5639 fd694b 5636->5639 5637->5636 5638->5639 5640 fd6955 InterlockedDecrement 5639->5640 5641 fd6958 5639->5641 5640->5641 5642 fd6971 InterlockedDecrement 5641->5642 5643 fd6981 InterlockedDecrement 5641->5643 5644 fd698c InterlockedDecrement 5641->5644 5642->5641 5643->5641 5644->5632 5646 fd67b4 5645->5646 5647 fd6747 5645->5647 5648 fd6801 5646->5648 5649 fd77a4 __freefls@4 67 API calls 5646->5649 5647->5646 5650 fd677b 5647->5650 5656 fd77a4 __freefls@4 67 API calls 5647->5656 5660 fd6828 5648->5660 5699 fd9601 5648->5699 5652 fd67d5 5649->5652 5664 fd77a4 __freefls@4 67 API calls 5650->5664 5674 fd679c 5650->5674 5654 fd77a4 __freefls@4 67 API calls 5652->5654 5659 fd67e8 5654->5659 5655 fd77a4 __freefls@4 67 API calls 5661 fd67a9 5655->5661 5662 fd6770 5656->5662 5657 fd77a4 __freefls@4 67 API calls 5657->5660 5658 fd686d 5663 fd77a4 __freefls@4 67 API calls 5658->5663 5666 fd77a4 __freefls@4 67 API calls 5659->5666 5660->5658 5665 fd77a4 67 API calls __freefls@4 5660->5665 5667 fd77a4 __freefls@4 67 API calls 5661->5667 5675 fd97db 5662->5675 5669 fd6873 5663->5669 5670 fd6791 5664->5670 5665->5660 5671 fd67f6 5666->5671 5667->5646 5669->5627 5691 fd9796 5670->5691 5673 fd77a4 __freefls@4 67 API calls 5671->5673 5673->5648 5674->5655 5676 fd97e8 5675->5676 5690 fd9865 5675->5690 5677 fd97f9 5676->5677 5678 fd77a4 __freefls@4 67 API calls 5676->5678 5679 fd980b 5677->5679 5680 fd77a4 __freefls@4 67 API calls 5677->5680 5678->5677 5681 fd981d 5679->5681 5682 fd77a4 __freefls@4 67 API calls 5679->5682 5680->5679 5683 fd982f 5681->5683 5684 fd77a4 __freefls@4 67 API calls 5681->5684 5682->5681 5685 fd9841 5683->5685 5686 fd77a4 __freefls@4 67 API calls 5683->5686 5684->5683 5687 fd77a4 __freefls@4 67 API calls 5685->5687 5688 fd9853 5685->5688 5686->5685 5687->5688 5689 fd77a4 __freefls@4 67 API calls 5688->5689 5688->5690 5689->5690 5690->5650 5692 fd97a3 5691->5692 5698 fd97d7 5691->5698 5693 fd97b3 5692->5693 5695 fd77a4 __freefls@4 67 API calls 5692->5695 5694 fd97c5 5693->5694 5696 fd77a4 __freefls@4 67 API calls 5693->5696 5697 fd77a4 __freefls@4 67 API calls 5694->5697 5694->5698 5695->5693 5696->5694 5697->5698 5698->5674 5700 fd9612 5699->5700 5786 fd6821 5699->5786 5701 fd77a4 __freefls@4 67 API calls 5700->5701 5702 fd961a 5701->5702 5703 fd77a4 __freefls@4 67 API calls 5702->5703 5704 fd9622 5703->5704 5705 fd77a4 __freefls@4 67 API calls 5704->5705 5706 fd962a 5705->5706 5707 fd77a4 __freefls@4 67 API calls 5706->5707 5708 fd9632 5707->5708 5709 fd77a4 __freefls@4 67 API calls 5708->5709 5710 fd963a 5709->5710 5711 fd77a4 __freefls@4 67 API calls 5710->5711 5712 fd9642 5711->5712 5713 fd77a4 __freefls@4 67 API calls 5712->5713 5714 fd9649 5713->5714 5715 fd77a4 __freefls@4 67 API calls 5714->5715 5716 fd9651 5715->5716 5717 fd77a4 __freefls@4 67 API calls 5716->5717 5718 fd9659 5717->5718 5719 fd77a4 __freefls@4 67 API calls 5718->5719 5720 fd9661 5719->5720 5721 fd77a4 __freefls@4 67 API calls 5720->5721 5722 fd9669 5721->5722 5723 fd77a4 __freefls@4 67 API calls 5722->5723 5724 fd9671 5723->5724 5725 fd77a4 __freefls@4 67 API calls 5724->5725 5726 fd9679 5725->5726 5727 fd77a4 __freefls@4 67 API calls 5726->5727 5728 fd9681 5727->5728 5729 fd77a4 __freefls@4 67 API calls 5728->5729 5730 fd9689 5729->5730 5731 fd77a4 __freefls@4 67 API calls 5730->5731 5732 fd9691 5731->5732 5733 fd77a4 __freefls@4 67 API calls 5732->5733 5734 fd969c 5733->5734 5735 fd77a4 __freefls@4 67 API calls 5734->5735 5736 fd96a4 5735->5736 5737 fd77a4 __freefls@4 67 API calls 5736->5737 5738 fd96ac 5737->5738 5739 fd77a4 __freefls@4 67 API calls 5738->5739 5740 fd96b4 5739->5740 5741 fd77a4 __freefls@4 67 API calls 5740->5741 5742 fd96bc 5741->5742 5743 fd77a4 __freefls@4 67 API calls 5742->5743 5744 fd96c4 5743->5744 5745 fd77a4 __freefls@4 67 API calls 5744->5745 5746 fd96cc 5745->5746 5747 fd77a4 __freefls@4 67 API calls 5746->5747 5748 fd96d4 5747->5748 5749 fd77a4 __freefls@4 67 API calls 5748->5749 5750 fd96dc 5749->5750 5751 fd77a4 __freefls@4 67 API calls 5750->5751 5752 fd96e4 5751->5752 5753 fd77a4 __freefls@4 67 API calls 5752->5753 5754 fd96ec 5753->5754 5755 fd77a4 __freefls@4 67 API calls 5754->5755 5756 fd96f4 5755->5756 5757 fd77a4 __freefls@4 67 API calls 5756->5757 5758 fd96fc 5757->5758 5759 fd77a4 __freefls@4 67 API calls 5758->5759 5760 fd9704 5759->5760 5761 fd77a4 __freefls@4 67 API calls 5760->5761 5762 fd970c 5761->5762 5763 fd77a4 __freefls@4 67 API calls 5762->5763 5764 fd9714 5763->5764 5765 fd77a4 __freefls@4 67 API calls 5764->5765 5766 fd9722 5765->5766 5767 fd77a4 __freefls@4 67 API calls 5766->5767 5768 fd972d 5767->5768 5769 fd77a4 __freefls@4 67 API calls 5768->5769 5770 fd9738 5769->5770 5771 fd77a4 __freefls@4 67 API calls 5770->5771 5772 fd9743 5771->5772 5773 fd77a4 __freefls@4 67 API calls 5772->5773 5774 fd974e 5773->5774 5775 fd77a4 __freefls@4 67 API calls 5774->5775 5776 fd9759 5775->5776 5777 fd77a4 __freefls@4 67 API calls 5776->5777 5778 fd9764 5777->5778 5779 fd77a4 __freefls@4 67 API calls 5778->5779 5780 fd976f 5779->5780 5781 fd77a4 __freefls@4 67 API calls 5780->5781 5782 fd977a 5781->5782 5783 fd77a4 __freefls@4 67 API calls 5782->5783 5784 fd9785 5783->5784 5785 fd77a4 __freefls@4 67 API calls 5784->5785 5785->5786 5786->5657 5787->5630 5791 fd791e LeaveCriticalSection 5788->5791 5790 fd6315 5790->5609 5791->5790 5793 fd6584 __freefls@4 5792->5793 5794 fd56cb __getptd 67 API calls 5793->5794 5795 fd658d 5794->5795 5796 fd6273 __setmbcp 69 API calls 5795->5796 5797 fd6597 5796->5797 5823 fd6317 5797->5823 5800 fd80f9 __malloc_crt 67 API calls 5801 fd65b8 5800->5801 5802 fd66d7 __freefls@4 5801->5802 5830 fd6393 5801->5830 5802->5569 5805 fd65e8 InterlockedDecrement 5807 fd6609 InterlockedIncrement 5805->5807 5808 fd65f8 5805->5808 5806 fd66e4 5806->5802 5809 fd66f7 5806->5809 5811 fd77a4 __freefls@4 67 API calls 5806->5811 5807->5802 5810 fd661f 5807->5810 5808->5807 5813 fd77a4 __freefls@4 67 API calls 5808->5813 5812 fd7375 _strcpy_s 67 API calls 5809->5812 5810->5802 5815 fd79f8 __lock 67 API calls 5810->5815 5811->5809 5812->5802 5814 fd6608 5813->5814 5814->5807 5817 fd6633 InterlockedDecrement 5815->5817 5818 fd66af 5817->5818 5819 fd66c2 InterlockedIncrement 5817->5819 5818->5819 5821 fd77a4 __freefls@4 67 API calls 5818->5821 5840 fd66d9 5819->5840 5822 fd66c1 5821->5822 5822->5819 5824 fd37e4 _LocaleUpdate::_LocaleUpdate 77 API calls 5823->5824 5825 fd632b 5824->5825 5826 fd6354 5825->5826 5827 fd6336 GetOEMCP 5825->5827 5828 fd6359 GetACP 5826->5828 5829 fd6346 5826->5829 5827->5829 5828->5829 5829->5800 5829->5802 5831 fd6317 getSystemCP 79 API calls 5830->5831 5832 fd63b3 5831->5832 5833 fd63be setSBCS 5832->5833 5835 fd6402 IsValidCodePage 5832->5835 5839 fd6427 _memset __setmbcp_nolock 5832->5839 5834 fd7594 ___mtold12 5 API calls 5833->5834 5836 fd6576 5834->5836 5835->5833 5837 fd6414 GetCPInfo 5835->5837 5836->5805 5836->5806 5837->5833 5837->5839 5843 fd60e0 GetCPInfo 5839->5843 5976 fd791e LeaveCriticalSection 5840->5976 5842 fd66e0 5842->5802 5844 fd6114 _memset 5843->5844 5852 fd61c6 5843->5852 5853 fd95bf 5844->5853 5848 fd7594 ___mtold12 5 API calls 5850 fd6271 5848->5850 5850->5839 5851 fd93c0 ___crtLCMapStringA 102 API calls 5851->5852 5852->5848 5854 fd37e4 _LocaleUpdate::_LocaleUpdate 77 API calls 5853->5854 5855 fd95d2 5854->5855 5863 fd9405 5855->5863 5858 fd93c0 5859 fd37e4 _LocaleUpdate::_LocaleUpdate 77 API calls 5858->5859 5860 fd93d3 5859->5860 5929 fd901b 5860->5929 5864 fd9426 GetStringTypeW 5863->5864 5865 fd9451 5863->5865 5866 fd9446 GetLastError 5864->5866 5869 fd943e 5864->5869 5867 fd9538 5865->5867 5865->5869 5866->5865 5891 fdc04f GetLocaleInfoA 5867->5891 5868 fd948a MultiByteToWideChar 5874 fd94b7 5868->5874 5886 fd9532 5868->5886 5869->5868 5869->5886 5871 fd7594 ___mtold12 5 API calls 5873 fd6181 5871->5873 5873->5858 5879 fd94cc _memset __alloca_probe_16 5874->5879 5880 fd5ece _malloc 67 API calls 5874->5880 5875 fd9589 GetStringTypeA 5878 fd95a4 5875->5878 5875->5886 5877 fd9505 MultiByteToWideChar 5882 fd952c 5877->5882 5883 fd951b GetStringTypeW 5877->5883 5884 fd77a4 __freefls@4 67 API calls 5878->5884 5879->5877 5879->5886 5880->5879 5887 fd8ffb 5882->5887 5883->5882 5884->5886 5886->5871 5888 fd9018 5887->5888 5889 fd9007 5887->5889 5888->5886 5889->5888 5890 fd77a4 __freefls@4 67 API calls 5889->5890 5890->5888 5892 fdc082 5891->5892 5894 fdc07d 5891->5894 5922 fdc27c 5892->5922 5895 fd7594 ___mtold12 5 API calls 5894->5895 5896 fd955c 5895->5896 5896->5875 5896->5886 5897 fdc098 5896->5897 5898 fdc0d8 GetCPInfo 5897->5898 5899 fdc162 5897->5899 5900 fdc14d MultiByteToWideChar 5898->5900 5901 fdc0ef 5898->5901 5902 fd7594 ___mtold12 5 API calls 5899->5902 5900->5899 5906 fdc108 _strlen 5900->5906 5901->5900 5903 fdc0f5 GetCPInfo 5901->5903 5904 fd957d 5902->5904 5903->5900 5905 fdc102 5903->5905 5904->5875 5904->5886 5905->5900 5905->5906 5907 fd5ece _malloc 67 API calls 5906->5907 5911 fdc13a _memset __alloca_probe_16 5906->5911 5907->5911 5908 fdc197 MultiByteToWideChar 5909 fdc1af 5908->5909 5910 fdc1ce 5908->5910 5913 fdc1b6 WideCharToMultiByte 5909->5913 5914 fdc1d3 5909->5914 5912 fd8ffb __freea 67 API calls 5910->5912 5911->5899 5911->5908 5912->5899 5913->5910 5915 fdc1de WideCharToMultiByte 5914->5915 5916 fdc1f2 5914->5916 5915->5910 5915->5916 5917 fd813e __calloc_crt 67 API calls 5916->5917 5918 fdc1fa 5917->5918 5918->5910 5919 fdc203 WideCharToMultiByte 5918->5919 5919->5910 5920 fdc215 5919->5920 5921 fd77a4 __freefls@4 67 API calls 5920->5921 5921->5910 5925 fdc81a 5922->5925 5926 fdc833 5925->5926 5927 fdc5eb strtoxl 91 API calls 5926->5927 5928 fdc28d 5927->5928 5928->5894 5930 fd903c LCMapStringW 5929->5930 5934 fd9057 5929->5934 5931 fd905f GetLastError 5930->5931 5930->5934 5931->5934 5932 fd9255 5936 fdc04f ___ansicp 91 API calls 5932->5936 5933 fd90b1 5935 fd90ca MultiByteToWideChar 5933->5935 5953 fd924c 5933->5953 5934->5932 5934->5933 5945 fd90f7 5935->5945 5935->5953 5938 fd927d 5936->5938 5937 fd7594 ___mtold12 5 API calls 5940 fd61a1 5937->5940 5941 fd9296 5938->5941 5942 fd9371 LCMapStringA 5938->5942 5938->5953 5939 fd9110 __alloca_probe_16 5944 fd9148 MultiByteToWideChar 5939->5944 5939->5953 5940->5851 5943 fdc098 ___convertcp 74 API calls 5941->5943 5946 fd92cd 5942->5946 5948 fd92a8 5943->5948 5949 fd9243 5944->5949 5950 fd9161 LCMapStringW 5944->5950 5945->5939 5947 fd5ece _malloc 67 API calls 5945->5947 5951 fd9398 5946->5951 5956 fd77a4 __freefls@4 67 API calls 5946->5956 5947->5939 5952 fd92b2 LCMapStringA 5948->5952 5948->5953 5954 fd8ffb __freea 67 API calls 5949->5954 5950->5949 5955 fd9182 5950->5955 5951->5953 5958 fd77a4 __freefls@4 67 API calls 5951->5958 5952->5946 5961 fd92d4 5952->5961 5953->5937 5954->5953 5957 fd918b 5955->5957 5960 fd91b4 5955->5960 5956->5951 5957->5949 5959 fd919d LCMapStringW 5957->5959 5958->5953 5959->5949 5963 fd91cf __alloca_probe_16 5960->5963 5965 fd5ece _malloc 67 API calls 5960->5965 5964 fd92e5 _memset __alloca_probe_16 5961->5964 5966 fd5ece _malloc 67 API calls 5961->5966 5962 fd9203 LCMapStringW 5967 fd923d 5962->5967 5968 fd921b WideCharToMultiByte 5962->5968 5963->5949 5963->5962 5964->5946 5970 fd9323 LCMapStringA 5964->5970 5965->5963 5966->5964 5969 fd8ffb __freea 67 API calls 5967->5969 5968->5967 5969->5949 5971 fd933f 5970->5971 5972 fd9343 5970->5972 5975 fd8ffb __freea 67 API calls 5971->5975 5974 fdc098 ___convertcp 74 API calls 5972->5974 5974->5971 5975->5946 5976->5842 5978 fd434c 5977->5978 5979 fd5404 __encode_pointer 7 API calls 5978->5979 5980 fd4364 5978->5980 5979->5978 5980->5140 5984 fd5e2c 5981->5984 5983 fd5e75 5983->5142 5985 fd5e38 __freefls@4 5984->5985 5992 fd4719 5985->5992 5991 fd5e59 __freefls@4 5991->5983 5993 fd79f8 __lock 67 API calls 5992->5993 5994 fd4720 5993->5994 5995 fd5d41 5994->5995 5996 fd547f __decode_pointer 6 API calls 5995->5996 5997 fd5d55 5996->5997 5998 fd547f __decode_pointer 6 API calls 5997->5998 6000 fd5d65 5998->6000 5999 fd5de8 6012 fd5e62 5999->6012 6000->5999 6015 fd8f58 6000->6015 6002 fd5dcf 6003 fd5404 __encode_pointer 7 API calls 6002->6003 6004 fd5ddd 6003->6004 6007 fd5404 __encode_pointer 7 API calls 6004->6007 6005 fd5da7 6005->5999 6009 fd818a __realloc_crt 74 API calls 6005->6009 6010 fd5dbd 6005->6010 6006 fd5d83 6006->6002 6006->6005 6028 fd818a 6006->6028 6007->5999 6009->6010 6010->5999 6011 fd5404 __encode_pointer 7 API calls 6010->6011 6011->6002 6078 fd4722 6012->6078 6016 fd8f64 __freefls@4 6015->6016 6017 fd8f74 6016->6017 6018 fd8f91 6016->6018 6019 fd7375 _strcpy_s 67 API calls 6017->6019 6020 fd8fd2 HeapSize 6018->6020 6022 fd79f8 __lock 67 API calls 6018->6022 6021 fd8f79 6019->6021 6024 fd8f89 __freefls@4 6020->6024 6023 fd6b8c _strcpy_s 6 API calls 6021->6023 6025 fd8fa1 ___sbh_find_block 6022->6025 6023->6024 6024->6006 6033 fd8ff2 6025->6033 6029 fd8193 6028->6029 6031 fd81d2 6029->6031 6032 fd81b3 Sleep 6029->6032 6037 fdbcfa 6029->6037 6031->6005 6032->6029 6036 fd791e LeaveCriticalSection 6033->6036 6035 fd8fcd 6035->6020 6035->6024 6036->6035 6038 fdbd06 __freefls@4 6037->6038 6039 fdbd0d 6038->6039 6040 fdbd1b 6038->6040 6041 fd5ece _malloc 67 API calls 6039->6041 6042 fdbd2e 6040->6042 6043 fdbd22 6040->6043 6058 fdbd15 _realloc __freefls@4 6041->6058 6050 fdbea0 6042->6050 6072 fdbd3b ___sbh_resize_block ___sbh_find_block 6042->6072 6044 fd77a4 __freefls@4 67 API calls 6043->6044 6044->6058 6045 fdbed3 6046 fd5fa7 _malloc 6 API calls 6045->6046 6049 fdbed9 6046->6049 6047 fd79f8 __lock 67 API calls 6047->6072 6048 fdbea5 HeapReAlloc 6048->6050 6048->6058 6052 fd7375 _strcpy_s 67 API calls 6049->6052 6050->6045 6050->6048 6051 fdbef7 6050->6051 6053 fd5fa7 _malloc 6 API calls 6050->6053 6056 fdbeed 6050->6056 6054 fd7375 _strcpy_s 67 API calls 6051->6054 6051->6058 6052->6058 6053->6050 6055 fdbf00 GetLastError 6054->6055 6055->6058 6059 fd7375 _strcpy_s 67 API calls 6056->6059 6058->6029 6061 fdbe6e 6059->6061 6060 fdbdc6 HeapAlloc 6060->6072 6061->6058 6062 fdbe73 GetLastError 6061->6062 6062->6058 6063 fdbe1b HeapReAlloc 6063->6072 6064 fd8a22 ___sbh_alloc_block 5 API calls 6064->6072 6065 fdbe86 6065->6058 6067 fd7375 _strcpy_s 67 API calls 6065->6067 6066 fd5fa7 _malloc 6 API calls 6066->6072 6070 fdbe93 6067->6070 6068 fdbe69 6071 fd7375 _strcpy_s 67 API calls 6068->6071 6069 fd3220 __VEC_memcpy _realloc 6069->6072 6070->6055 6070->6058 6071->6061 6072->6045 6072->6047 6072->6058 6072->6060 6072->6063 6072->6064 6072->6065 6072->6066 6072->6068 6072->6069 6073 fd8273 VirtualFree VirtualFree HeapFree ___sbh_free_block 6072->6073 6074 fdbe3e 6072->6074 6073->6072 6077 fd791e LeaveCriticalSection 6074->6077 6076 fdbe45 6076->6072 6077->6076 6081 fd791e LeaveCriticalSection 6078->6081 6080 fd4729 6080->5991 6081->6080 6083 fd47fd __freefls@4 6082->6083 6084 fd79f8 __lock 67 API calls 6083->6084 6085 fd4804 6084->6085 6088 fd547f __decode_pointer 6 API calls 6085->6088 6092 fd48bd __initterm 6085->6092 6090 fd483b 6088->6090 6089 fd4905 __freefls@4 6089->5162 6090->6092 6094 fd547f __decode_pointer 6 API calls 6090->6094 6099 fd4908 6092->6099 6093 fd48fc 6095 fd4701 _malloc 3 API calls 6093->6095 6098 fd4850 6094->6098 6095->6089 6096 fd547f 6 API calls __decode_pointer 6096->6098 6097 fd5476 7 API calls _raise 6097->6098 6098->6092 6098->6096 6098->6097 6100 fd490e 6099->6100 6102 fd48e9 6099->6102 6104 fd791e LeaveCriticalSection 6100->6104 6102->6089 6103 fd791e LeaveCriticalSection 6102->6103 6103->6093 6104->6102 6170 fd31fb 6171 fd3205 __fpmath 6170->6171 6176 fd43d0 GetModuleHandleA 6171->6176 6174 fd321a 6177 fd43df GetProcAddress 6176->6177 6178 fd320a 6176->6178 6177->6178 6178->6174 6179 fd4367 6178->6179 6184 fd7738 6179->6184 6181 fd437c 6182 fd438d 6181->6182 6183 fd6a64 __invoke_watson 10 API calls 6181->6183 6182->6174 6183->6182 6186 fd7753 __control87 6184->6186 6189 fd777c __control87 6184->6189 6185 fd7375 _strcpy_s 67 API calls 6187 fd776d 6185->6187 6186->6185 6188 fd6b8c _strcpy_s 6 API calls 6187->6188 6188->6189 6189->6181 6190 fd5dfb 6191 fd813e __calloc_crt 67 API calls 6190->6191 6192 fd5e07 6191->6192 6193 fd5404 __encode_pointer 7 API calls 6192->6193 6194 fd5e0f 6193->6194 6407 fd373b 6408 fd5ccc ctype 67 API calls 6407->6408 6409 fd374e ctype 6408->6409 6195 fd7df4 6196 fd7e00 SetLastError 6195->6196 6197 fd7e08 __freefls@4 6195->6197 6196->6197 6198 fd39f7 6201 fd386b 6198->6201 6202 fd37e4 _LocaleUpdate::_LocaleUpdate 77 API calls 6201->6202 6203 fd387f 6202->6203 6210 fd6d46 6203->6210 6205 fd388b 6206 fd389f 6205->6206 6214 fd6c03 6205->6214 6208 fd6d46 __forcdecpt_l 102 API calls 6206->6208 6209 fd38a8 6208->6209 6211 fd6d64 6210->6211 6212 fd6d54 6210->6212 6219 fd6c31 6211->6219 6212->6205 6215 fd6c11 6214->6215 6216 fd6c23 6214->6216 6215->6205 6241 fd6bb2 6216->6241 6220 fd37e4 _LocaleUpdate::_LocaleUpdate 77 API calls 6219->6220 6221 fd6c46 6220->6221 6222 fd6ca6 6221->6222 6223 fd6c52 6221->6223 6228 fd6ccb 6222->6228 6238 fd99c0 6222->6238 6230 fd6c6a 6223->6230 6231 fd9908 6223->6231 6224 fd7375 _strcpy_s 67 API calls 6227 fd6cd1 6224->6227 6229 fd93c0 ___crtLCMapStringA 102 API calls 6227->6229 6228->6224 6228->6227 6229->6230 6230->6212 6232 fd37e4 _LocaleUpdate::_LocaleUpdate 77 API calls 6231->6232 6233 fd991c 6232->6233 6234 fd99c0 __isleadbyte_l 77 API calls 6233->6234 6237 fd9929 6233->6237 6235 fd9951 6234->6235 6236 fd95bf ___crtGetStringTypeA 91 API calls 6235->6236 6236->6237 6237->6230 6239 fd37e4 _LocaleUpdate::_LocaleUpdate 77 API calls 6238->6239 6240 fd99d3 6239->6240 6240->6228 6242 fd37e4 _LocaleUpdate::_LocaleUpdate 77 API calls 6241->6242 6243 fd6bc5 6242->6243 6244 fd6bdf 6243->6244 6245 fd9908 __isctype_l 91 API calls 6243->6245 6244->6205 6245->6244 6166 fd5476 6167 fd5404 __encode_pointer 7 API calls 6166->6167 6168 fd547d 6167->6168 6246 fd54f1 TlsAlloc 6410 fd3731 6411 fd374e ctype 6410->6411 6412 fd5ccc ctype 67 API calls 6410->6412 6412->6411 6413 fd5a30 6414 fd5a5c 6413->6414 6415 fd5a69 6413->6415 6416 fd7594 ___mtold12 5 API calls 6414->6416 6417 fd7594 ___mtold12 5 API calls 6415->6417 6416->6415 6425 fd5a79 __except_handler4 __IsNonwritableInCurrentImage 6417->6425 6418 fd5afc 6419 fd5aec 6421 fd7594 ___mtold12 5 API calls 6419->6421 6420 fd7594 ___mtold12 5 API calls 6420->6419 6421->6418 6423 fd5b4b __except_handler4 6424 fd5b7f 6423->6424 6426 fd7594 ___mtold12 5 API calls 6423->6426 6427 fd7594 ___mtold12 5 API calls 6424->6427 6425->6418 6428 fd5ad2 __except_handler4 6425->6428 6429 fd8e2a RtlUnwind 6425->6429 6426->6424 6427->6428 6428->6418 6428->6419 6428->6420 6429->6423 6430 fd462d 6431 fd4669 6430->6431 6433 fd463f 6430->6433 6433->6431 6434 fd7832 6433->6434 6435 fd783e __freefls@4 6434->6435 6436 fd56cb __getptd 67 API calls 6435->6436 6438 fd7843 6436->6438 6437 fdbac5 _abort 69 API calls 6439 fd7865 __freefls@4 6437->6439 6438->6437 6439->6431 6247 fd5cef 6250 fd5ccc 6247->6250 6249 fd5cfc ctype 6251 fd5cd8 6250->6251 6252 fd5ce0 6250->6252 6253 fd77a4 __freefls@4 67 API calls 6251->6253 6252->6249 6253->6252 6357 fd466f SetUnhandledExceptionFilter 6254 fd56e5 6256 fd56f1 __freefls@4 6254->6256 6255 fd5709 6258 fd5717 6255->6258 6260 fd77a4 __freefls@4 67 API calls 6255->6260 6256->6255 6257 fd77a4 __freefls@4 67 API calls 6256->6257 6259 fd57f3 __freefls@4 6256->6259 6257->6255 6261 fd77a4 __freefls@4 67 API calls 6258->6261 6262 fd5725 6258->6262 6260->6258 6261->6262 6263 fd5733 6262->6263 6265 fd77a4 __freefls@4 67 API calls 6262->6265 6264 fd5741 6263->6264 6266 fd77a4 __freefls@4 67 API calls 6263->6266 6267 fd574f 6264->6267 6268 fd77a4 __freefls@4 67 API calls 6264->6268 6265->6263 6266->6264 6269 fd575d 6267->6269 6270 fd77a4 __freefls@4 67 API calls 6267->6270 6268->6267 6271 fd576e 6269->6271 6273 fd77a4 __freefls@4 67 API calls 6269->6273 6270->6269 6272 fd79f8 __lock 67 API calls 6271->6272 6274 fd5776 6272->6274 6273->6271 6275 fd579b 6274->6275 6276 fd5782 InterlockedDecrement 6274->6276 6290 fd57ff 6275->6290 6276->6275 6277 fd578d 6276->6277 6277->6275 6280 fd77a4 __freefls@4 67 API calls 6277->6280 6280->6275 6281 fd79f8 __lock 67 API calls 6282 fd57af 6281->6282 6283 fd57e0 6282->6283 6285 fd6908 ___removelocaleref 8 API calls 6282->6285 6293 fd580b 6283->6293 6288 fd57c4 6285->6288 6287 fd77a4 __freefls@4 67 API calls 6287->6259 6288->6283 6289 fd6730 ___freetlocinfo 67 API calls 6288->6289 6289->6283 6296 fd791e LeaveCriticalSection 6290->6296 6292 fd57a8 6292->6281 6297 fd791e LeaveCriticalSection 6293->6297 6295 fd57ed 6295->6287 6296->6292 6297->6295 6298 fd36e1 6299 fd36f6 6298->6299 6300 fd36f0 6298->6300 6307 fd4958 6299->6307 6304 fd4933 6300->6304 6303 fd36fb __freefls@4 6305 fd47f1 _doexit 67 API calls 6304->6305 6306 fd4944 6305->6306 6306->6299 6308 fd47f1 _doexit 67 API calls 6307->6308 6309 fd4963 6308->6309 6309->6303 6443 fd5d20 6446 fd5d10 6443->6446 6445 fd5d2d ctype 6449 fd8e5b 6446->6449 6448 fd5d1e 6448->6445 6450 fd8e67 __freefls@4 6449->6450 6451 fd79f8 __lock 67 API calls 6450->6451 6455 fd8e6e 6451->6455 6452 fd8ea7 6459 fd8ec2 6452->6459 6454 fd8e9e 6457 fd77a4 __freefls@4 67 API calls 6454->6457 6455->6452 6455->6454 6458 fd77a4 __freefls@4 67 API calls 6455->6458 6456 fd8eb8 __freefls@4 6456->6448 6457->6452 6458->6454 6462 fd791e LeaveCriticalSection 6459->6462 6461 fd8ec9 6461->6456 6462->6461 6463 fd4323 6466 fd429b 6463->6466 6465 fd4341 6467 fd42a8 6466->6467 6468 fd4307 6466->6468 6467->6468 6470 fd42ad 6467->6470 6524 fd3b8c 6468->6524 6472 fd42cb 6470->6472 6473 fd42b2 6470->6473 6471 fd42ec 6471->6465 6475 fd42ee 6472->6475 6478 fd42d5 6472->6478 6480 fd40e6 6473->6480 6511 fd3c7c 6475->6511 6494 fd41a1 6478->6494 6538 fd7504 6480->6538 6483 fd4120 6484 fd7375 _strcpy_s 67 API calls 6483->6484 6486 fd4125 6484->6486 6485 fd413f 6548 fd7388 6485->6548 6487 fd6b8c _strcpy_s 6 API calls 6486->6487 6488 fd4131 6487->6488 6491 fd7594 ___mtold12 5 API calls 6488->6491 6490 fd4172 6490->6488 6557 fd3fef 6490->6557 6492 fd419f 6491->6492 6492->6465 6495 fd7504 __fltout2 67 API calls 6494->6495 6496 fd41d2 6495->6496 6497 fd41db 6496->6497 6500 fd41fd 6496->6500 6498 fd7375 _strcpy_s 67 API calls 6497->6498 6499 fd41e0 6498->6499 6501 fd6b8c _strcpy_s 6 API calls 6499->6501 6502 fd7388 __fptostr 67 API calls 6500->6502 6503 fd41ec 6501->6503 6504 fd4229 6502->6504 6505 fd7594 ___mtold12 5 API calls 6503->6505 6504->6503 6507 fd4270 6504->6507 6508 fd4248 6504->6508 6506 fd4299 6505->6506 6506->6471 6578 fd3a1d 6507->6578 6510 fd3fef __cftof2_l 77 API calls 6508->6510 6510->6503 6512 fd37e4 _LocaleUpdate::_LocaleUpdate 77 API calls 6511->6512 6513 fd3ca1 6512->6513 6514 fd3cb0 6513->6514 6515 fd3ce0 6513->6515 6516 fd7375 _strcpy_s 67 API calls 6514->6516 6517 fd3cee 6515->6517 6521 fd3cf7 6515->6521 6518 fd3cb5 6516->6518 6519 fd7375 _strcpy_s 67 API calls 6517->6519 6520 fd6b8c _strcpy_s 6 API calls 6518->6520 6519->6518 6523 fd3cc4 __alldvrm _memset __cftoa_l _strrchr 6520->6523 6521->6523 6593 fd3c5c 6521->6593 6523->6471 6525 fd7504 __fltout2 67 API calls 6524->6525 6526 fd3bbd 6525->6526 6527 fd3bc6 6526->6527 6528 fd3be5 6526->6528 6529 fd7375 _strcpy_s 67 API calls 6527->6529 6532 fd7388 __fptostr 67 API calls 6528->6532 6530 fd3bcb 6529->6530 6531 fd6b8c _strcpy_s 6 API calls 6530->6531 6533 fd3bd7 6531->6533 6534 fd3c29 6532->6534 6535 fd7594 ___mtold12 5 API calls 6533->6535 6534->6533 6536 fd3a1d __cftoe2_l 77 API calls 6534->6536 6537 fd3c5a 6535->6537 6536->6533 6537->6471 6539 fd752f ___dtold 6538->6539 6564 fdab78 6539->6564 6542 fd72cb _strcpy_s 67 API calls 6543 fd756a 6542->6543 6544 fd6a64 __invoke_watson 10 API calls 6543->6544 6546 fd757d 6543->6546 6544->6546 6545 fd7594 ___mtold12 5 API calls 6547 fd4117 6545->6547 6546->6545 6547->6483 6547->6485 6549 fd73bd 6548->6549 6550 fd739f 6548->6550 6549->6550 6553 fd73c2 6549->6553 6551 fd7375 _strcpy_s 67 API calls 6550->6551 6552 fd73a4 6551->6552 6554 fd6b8c _strcpy_s 6 API calls 6552->6554 6555 fd7375 _strcpy_s 67 API calls 6553->6555 6556 fd73b3 __cftoe2_l _strlen 6553->6556 6554->6556 6555->6552 6556->6490 6558 fd37e4 _LocaleUpdate::_LocaleUpdate 77 API calls 6557->6558 6559 fd400d 6558->6559 6560 fd7375 _strcpy_s 67 API calls 6559->6560 6563 fd4027 _memset __shift 6559->6563 6561 fd4016 6560->6561 6562 fd6b8c _strcpy_s 6 API calls 6561->6562 6562->6563 6563->6488 6565 fdabee 6564->6565 6566 fdac5b 6565->6566 6571 fdac73 6565->6571 6577 fdac0b 6565->6577 6568 fd72cb _strcpy_s 67 API calls 6566->6568 6567 fd7594 ___mtold12 5 API calls 6569 fd754a 6567->6569 6570 fdacbe 6568->6570 6569->6542 6572 fd6a64 __invoke_watson 10 API calls 6570->6572 6570->6577 6573 fd72cb _strcpy_s 67 API calls 6571->6573 6572->6577 6574 fdac92 6573->6574 6575 fd6a64 __invoke_watson 10 API calls 6574->6575 6574->6577 6575->6577 6576 fdb470 6577->6567 6577->6576 6579 fd37e4 _LocaleUpdate::_LocaleUpdate 77 API calls 6578->6579 6580 fd3a35 6579->6580 6581 fd3a3b 6580->6581 6582 fd3a6b 6580->6582 6583 fd7375 _strcpy_s 67 API calls 6581->6583 6584 fd3a7f 6582->6584 6588 fd3a88 __shift 6582->6588 6587 fd3a40 6583->6587 6586 fd7375 _strcpy_s 67 API calls 6584->6586 6585 fd6b8c _strcpy_s 6 API calls 6592 fd3a4f __cftoe2_l 6585->6592 6586->6587 6587->6585 6589 fd72cb _strcpy_s 67 API calls 6588->6589 6590 fd3b03 6589->6590 6591 fd6a64 __invoke_watson 10 API calls 6590->6591 6590->6592 6591->6592 6592->6503 6594 fd3b8c __cftoe_l 77 API calls 6593->6594 6595 fd3c77 6594->6595 6595->6523 6353 fd8d98 6354 fd8daa 6353->6354 6356 fd8db8 @_EH4_CallFilterFunc@8 6353->6356 6355 fd7594 ___mtold12 5 API calls 6354->6355 6355->6356 6596 fdbf18 RtlUnwind 6358 fd7856 6359 fd7859 6358->6359 6362 fdbac5 6359->6362 6363 fdbaeb 6362->6363 6364 fdbae4 6362->6364 6374 fd7bd2 6363->6374 6365 fd49b5 __NMSG_WRITE 67 API calls 6364->6365 6365->6363 6369 fdbbd4 6371 fd4933 _raise 67 API calls 6369->6371 6370 fdbafc _memset 6370->6369 6373 fdbb94 SetUnhandledExceptionFilter UnhandledExceptionFilter 6370->6373 6372 fdbbdb 6371->6372 6373->6369 6375 fd547f __decode_pointer 6 API calls 6374->6375 6376 fd7bdd 6375->6376 6376->6370 6377 fd7bdf 6376->6377 6380 fd7beb __freefls@4 6377->6380 6378 fd7c47 6379 fd7c28 6378->6379 6383 fd7c56 6378->6383 6384 fd547f __decode_pointer 6 API calls 6379->6384 6380->6378 6380->6379 6381 fd7c12 6380->6381 6386 fd7c0e 6380->6386 6382 fd5652 __getptd_noexit 67 API calls 6381->6382 6387 fd7c17 _siglookup 6382->6387 6385 fd7375 _strcpy_s 67 API calls 6383->6385 6384->6387 6388 fd7c5b 6385->6388 6386->6381 6386->6383 6390 fd7cbd 6387->6390 6391 fd4933 _raise 67 API calls 6387->6391 6397 fd7c20 __freefls@4 6387->6397 6389 fd6b8c _strcpy_s 6 API calls 6388->6389 6389->6397 6392 fd79f8 __lock 67 API calls 6390->6392 6393 fd7cc8 6390->6393 6391->6390 6392->6393 6394 fd5476 _raise 7 API calls 6393->6394 6395 fd7cfd 6393->6395 6394->6395 6398 fd7d53 6395->6398 6397->6370 6399 fd7d59 6398->6399 6400 fd7d60 6398->6400 6402 fd791e LeaveCriticalSection 6399->6402 6400->6397 6402->6400 6169 fd1090 IsValidCodePage GetModuleHandleA GetProcAddress VirtualProtect 6310 fd36cd 6313 fd4b9a 6310->6313 6314 fd5652 __getptd_noexit 67 API calls 6313->6314 6315 fd36de 6314->6315 6597 fd370b 6600 fd5bbc 6597->6600 6599 fd3710 6599->6599 6601 fd5bee GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 6600->6601 6602 fd5be1 6600->6602 6603 fd5be5 6601->6603 6602->6601 6602->6603 6603->6599 6604 fd3a0a 6607 fd38de 6604->6607 6608 fd37e4 _LocaleUpdate::_LocaleUpdate 77 API calls 6607->6608 6609 fd38f2 6608->6609 6105 fd2947 6106 fd2977 6105->6106 6113 fd1130 6106->6113 6110 fd2d55 6121 100bd89 6110->6121 6111 fd2d67 6114 fd3220 _realloc __VEC_memcpy 6113->6114 6115 fd114d 6114->6115 6116 fd1200 6115->6116 6140 fd3190 6116->6140 6119 fd3220 _realloc __VEC_memcpy 6120 fd1247 6119->6120 6120->6110 6122 100bd9f 6121->6122 6138 100c31d 6121->6138 6122->6138 6164 100bd54 GetPEB 6122->6164 6124 100be30 6125 100bd54 GetPEB 6124->6125 6137 100be3b 6125->6137 6126 100c052 CreateProcessW 6127 100c075 GetThreadContext 6126->6127 6126->6137 6128 100c08a ReadProcessMemory 6127->6128 6127->6137 6128->6137 6129 100c0c5 VirtualAlloc 6130 100c0e2 VirtualAllocEx 6129->6130 6129->6137 6130->6137 6131 100c218 WriteProcessMemory 6132 100c230 VirtualProtectEx 6131->6132 6131->6137 6132->6137 6133 100c2c7 VirtualFree 6134 100c2d5 WriteProcessMemory 6133->6134 6133->6137 6135 100c2f0 SetThreadContext 6134->6135 6134->6137 6136 100c310 ResumeThread 6135->6136 6135->6137 6136->6137 6136->6138 6137->6126 6137->6129 6137->6131 6137->6133 6137->6138 6139 100c297 VirtualProtectEx 6137->6139 6138->6111 6139->6137 6142 fd377f 6140->6142 6141 fd5ece _malloc 67 API calls 6141->6142 6142->6141 6143 fd1210 MultiByteToWideChar 6142->6143 6144 fd5fa7 _malloc 6 API calls 6142->6144 6146 fd37a5 std::bad_alloc::bad_alloc 6142->6146 6143->6119 6144->6142 6148 fd5e68 __cinit 75 API calls 6146->6148 6151 fd37cb 6146->6151 6148->6151 6150 fd37e3 6152 fd3762 6151->6152 6158 fd5c6f 6152->6158 6155 fd5fcf 6156 fd5ff8 6155->6156 6157 fd6004 RaiseException 6155->6157 6156->6157 6157->6150 6159 fd5c8f _strlen 6158->6159 6163 fd3772 6158->6163 6160 fd5ece _malloc 67 API calls 6159->6160 6159->6163 6161 fd5ca2 6160->6161 6162 fd72cb _strcpy_s 67 API calls 6161->6162 6161->6163 6162->6163 6163->6155 6165 100bd67 6164->6165 6165->6124

                                                                                                                                                              Executed Functions

                                                                                                                                                              Function 0100BD89 Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 467threadinjectionmemoryCOMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 0 100bd89-100bd99 1 100c37b 0->1 2 100bd9f-100bda3 0->2 4 100c37d-100c383 1->4 2->1 3 100bda9-100bf6b call 100bd54 * 2 2->3 9 100bf6d-100bf8d call 100bc5f 3->9 9->1 12 100bf93-100bf97 9->12 12->9 13 100bf99 12->13 14 100bf9b-100bff9 13->14 18 100c011-100c013 14->18 19 100bffb-100c001 14->19 21 100c016-100c026 18->21 19->18 20 100c003-100c007 19->20 20->18 23 100c009-100c00f 20->23 21->1 22 100c02c-100c038 21->22 22->1 24 100c03e-100c04c 22->24 23->21 24->1 25 100c052-100c06f CreateProcessW 24->25 26 100c075-100c084 GetThreadContext 25->26 27 100c33a 25->27 26->27 28 100c08a-100c0a8 ReadProcessMemory 26->28 29 100c33c-100c340 27->29 28->27 30 100c0ae-100c0b4 28->30 31 100c352-100c356 29->31 32 100c342-100c34c 29->32 35 100c0c5-100c0dc VirtualAlloc 30->35 36 100c0b6-100c0bf 30->36 33 100c358 31->33 34 100c35e-100c360 31->34 32->31 33->34 38 100c362-100c368 34->38 39 100c36c-100c375 34->39 35->27 40 100c0e2-100c0fa VirtualAllocEx 35->40 36->27 36->35 38->39 39->1 39->14 42 100c0fc-100c0fe 40->42 43 100c13d-100c152 40->43 44 100c100-100c116 42->44 45 100c118-100c12b 42->45 48 100c182-100c191 43->48 49 100c154-100c15a 43->49 46 100c12c-100c137 44->46 45->46 46->27 46->43 53 100c197-100c19b 48->53 54 100c218-100c22a WriteProcessMemory 48->54 52 100c15c-100c17e 49->52 62 100c180 52->62 53->54 56 100c19d-100c1ae 53->56 54->29 55 100c230-100c247 VirtualProtectEx 54->55 55->29 57 100c24d-100c256 55->57 56->54 59 100c1b0-100c1be 56->59 60 100c2c7-100c2d3 VirtualFree 57->60 61 100c258-100c25e 57->61 63 100c1c0-100c1c8 59->63 64 100c201-100c216 59->64 60->29 67 100c2d5-100c2ee WriteProcessMemory 60->67 68 100c260-100c267 61->68 62->48 65 100c1ca-100c1eb 63->65 66 100c1ee-100c1ff 63->66 64->54 64->59 65->66 66->63 66->64 67->29 69 100c2f0-100c30e SetThreadContext 67->69 70 100c282-100c284 68->70 71 100c269-100c26b 68->71 69->29 72 100c310-100c31b ResumeThread 69->72 75 100c286 70->75 76 100c28b-100c296 70->76 73 100c271-100c280 71->73 74 100c26d-100c26f 71->74 72->29 77 100c31d-100c321 72->77 79 100c297-100c2b1 VirtualProtectEx 73->79 78 100c288-100c289 74->78 75->78 76->79 82 100c323 77->82 83 100c329-100c32d 77->83 78->79 80 100c2b3-100c2c3 79->80 81 100c2c5 79->81 80->68 80->81 81->60 82->83 84 100c335-100c338 83->84 85 100c32f 83->85 84->4 85->84
                                                                                                                                                              APIs
                                                                                                                                                              • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0100C06A
                                                                                                                                                              • GetThreadContext.KERNELBASE(?,00010007), ref: 0100C07F
                                                                                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0100C0A0
                                                                                                                                                              • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0100C0D2
                                                                                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 0100C0F2
                                                                                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,00000000), ref: 0100C225
                                                                                                                                                              • VirtualProtectEx.KERNELBASE(?,?,?,00000002,?), ref: 0100C242
                                                                                                                                                              • VirtualProtectEx.KERNELBASE(?,?,?,00000001,?), ref: 0100C2AC
                                                                                                                                                              • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0100C2CE
                                                                                                                                                              • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0100C2E9
                                                                                                                                                              • SetThreadContext.KERNELBASE(?,00010007), ref: 0100C306
                                                                                                                                                              • ResumeThread.KERNELBASE(?), ref: 0100C313
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.247812016.000000000100B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.247687326.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247692684.0000000000FD1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247711949.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247819246.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247825913.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_fd0000_ChromeFIX_errorMEM.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: Virtual$Process$MemoryThread$AllocContextProtectWrite$CreateFreeReadResume
                                                                                                                                                              • String ID: D
                                                                                                                                                              • API String ID: 12256240-2746444292
                                                                                                                                                              • Opcode ID: 0f12e257533f2bba003e1d6bb2e033b7a2472d2d85e254e8470fd1158bdd1a21
                                                                                                                                                              • Instruction ID: 89b7aa07be57d37bb297259c11469e91d9b9b2596a347706e8d68e6df29e1b11
                                                                                                                                                              • Opcode Fuzzy Hash: 0f12e257533f2bba003e1d6bb2e033b7a2472d2d85e254e8470fd1158bdd1a21
                                                                                                                                                              • Instruction Fuzzy Hash: 93122A71D002199BEF62CFA4CD84BEEBBB5FF04704F1481A9E649E6290E7749A84CF54
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 00FD1090 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31librarymemoryloaderCOMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              C-Code - Quality: 100%
                                                                                                                                                              			E00FD1090(void* _a4, long _a8) {
				long _v8;
				CHAR* _v12;
				struct HINSTANCE__* _v16;
				CHAR* _v20;

				_v12 = "VirtualProtect";
				IsValidCodePage(0x6d); // executed
				_v20 = "kernel32.dll";
				_v16 = GetModuleHandleA(_v20);
				_v8 = 0;
				 *0x100d3c0 = GetProcAddress(_v16, _v12);
				VirtualProtect(_a4, _a8, 0x40,  &_v8); // executed
				return 0;
			}







                                                                                                                                                              0x00fd1096
                                                                                                                                                              0x00fd109f
                                                                                                                                                              0x00fd10a5
                                                                                                                                                              0x00fd10b6
                                                                                                                                                              0x00fd10b9
                                                                                                                                                              0x00fd10ce
                                                                                                                                                              0x00fd10e1
                                                                                                                                                              0x00fd10ee

                                                                                                                                                              APIs
                                                                                                                                                              • IsValidCodePage.KERNELBASE(0000006D), ref: 00FD109F
                                                                                                                                                              • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00FD10B0
                                                                                                                                                              • GetProcAddress.KERNEL32(?,VirtualProtect), ref: 00FD10C8
                                                                                                                                                              • VirtualProtect.KERNELBASE(VirtualProtect,?,00000040,00000000), ref: 00FD10E1
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.247692684.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.247687326.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247711949.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247812016.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247819246.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247825913.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_fd0000_ChromeFIX_errorMEM.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: AddressCodeHandleModulePageProcProtectValidVirtual
                                                                                                                                                              • String ID: VirtualProtect$kernel32.dll
                                                                                                                                                              • API String ID: 2328019344-1817385118
                                                                                                                                                              • Opcode ID: 0228272127eb96d636876d9ca513db75e91bd474e98fc2c69cebcce6aaf0e185
                                                                                                                                                              • Instruction ID: b20608362eff97e2960a85d05887ef1facda9810dabad938dff26f360e8e615b
                                                                                                                                                              • Opcode Fuzzy Hash: 0228272127eb96d636876d9ca513db75e91bd474e98fc2c69cebcce6aaf0e185
                                                                                                                                                              • Instruction Fuzzy Hash: CCF01DB5D4020CEBDB04DFE4D848AAF7BBAFB88300F00C549F615A7244D77596019BA0
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 00FD3190 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              C-Code - Quality: 91%
                                                                                                                                                              			E00FD3190(void* __ebx, void* __edx, void* __edi, void* __eflags) {
				intOrPtr _v0;
				signed int _v12;
				char _v20;
				void* __ebp;
				void* _t31;
				signed int _t32;
				signed int _t36;
				intOrPtr _t39;
				intOrPtr _t41;
				void* _t47;
				intOrPtr* _t50;
				signed int _t55;
				signed int _t56;
				void* _t59;
				void* _t60;
				intOrPtr* _t62;
				void* _t65;
				void* _t67;

				_t60 = __edi;
				_t59 = __edx;
				_t47 = __ebx;
				_pop(_t64);
				_t65 = _t67;
				while(1) {
					_t31 = E00FD5ECE(_t47, _t59, _t60, _v0); // executed
					if(_t31 != 0) {
						return _t31;
					}
					_t32 = E00FD5FA7(_v0);
					__eflags = _t32;
					if(_t32 == 0) {
						__eflags =  *0x100d420 & 0x00000001;
						if(( *0x100d420 & 0x00000001) == 0) {
							 *0x100d420 =  *0x100d420 | 0x00000001;
							__eflags =  *0x100d420;
							E00FD3715(0x100d414);
							E00FD5E68( *0x100d420, 0xfdc9bb);
						}
						_t50 =  &_v20;
						E00FD3762(_t50, 0x100d414);
						E00FD5FCF( &_v20, 0xfdf2f4);
						asm("int3");
						_push(_t65);
						_t36 = _v12;
						_push(0x100d414);
						_t62 = _t50;
						 *((char*)(_t62 + 0xc)) = 0;
						__eflags = _t36;
						if(__eflags != 0) {
							 *_t62 =  *_t36;
							_t29 = _t36 + 4; // 0xfd3730
							 *((intOrPtr*)(_t62 + 4)) =  *_t29;
						} else {
							_t39 = E00FD56CB(_t47, __eflags);
							 *((intOrPtr*)(_t62 + 8)) = _t39;
							 *_t62 =  *((intOrPtr*)(_t39 + 0x6c));
							 *((intOrPtr*)(_t62 + 4)) =  *((intOrPtr*)(_t39 + 0x68));
							__eflags =  *_t62 -  *0x100cb98; // 0x100cac0
							if(__eflags != 0) {
								_t56 =  *0x100cab4; // 0xfffffffe
								__eflags =  *(_t39 + 0x70) & _t56;
								if(__eflags == 0) {
									 *_t62 = E00FD69DF(_t47, _t59, _t60, _t62, __eflags);
								}
							}
							__eflags =  *((intOrPtr*)(_t62 + 4)) -  *0x100c9b8; // 0x29e1608
							if(__eflags != 0) {
								_t55 =  *0x100cab4; // 0xfffffffe
								__eflags =  *( *((intOrPtr*)(_t62 + 8)) + 0x70) & _t55;
								if(__eflags == 0) {
									 *((intOrPtr*)(_t62 + 4)) = E00FD6273(_t47, _t59, _t60, _t62, __eflags);
								}
							}
							_t41 =  *((intOrPtr*)(_t62 + 8));
							__eflags =  *(_t41 + 0x70) & 0x00000002;
							if(( *(_t41 + 0x70) & 0x00000002) == 0) {
								 *(_t41 + 0x70) =  *(_t41 + 0x70) | 0x00000002;
								 *((char*)(_t62 + 0xc)) = 1;
							}
						}
						return _t62;
					} else {
						continue;
					}
					break;
				}
			}





















                                                                                                                                                              0x00fd3190
                                                                                                                                                              0x00fd3190
                                                                                                                                                              0x00fd3190
                                                                                                                                                              0x00fd3195
                                                                                                                                                              0x00fd3782
                                                                                                                                                              0x00fd3796
                                                                                                                                                              0x00fd3799
                                                                                                                                                              0x00fd37a1
                                                                                                                                                              0x00fd37a4
                                                                                                                                                              0x00fd37a4
                                                                                                                                                              0x00fd378c
                                                                                                                                                              0x00fd3792
                                                                                                                                                              0x00fd3794
                                                                                                                                                              0x00fd37a5
                                                                                                                                                              0x00fd37b1
                                                                                                                                                              0x00fd37b3
                                                                                                                                                              0x00fd37b3
                                                                                                                                                              0x00fd37bc
                                                                                                                                                              0x00fd37c6
                                                                                                                                                              0x00fd37cb
                                                                                                                                                              0x00fd37cd
                                                                                                                                                              0x00fd37d0
                                                                                                                                                              0x00fd37de
                                                                                                                                                              0x00fd37e3
                                                                                                                                                              0x00fd37e6
                                                                                                                                                              0x00fd37e9
                                                                                                                                                              0x00fd37ec
                                                                                                                                                              0x00fd37ed
                                                                                                                                                              0x00fd37ef
                                                                                                                                                              0x00fd37f3
                                                                                                                                                              0x00fd37f5
                                                                                                                                                              0x00fd385c
                                                                                                                                                              0x00fd385e
                                                                                                                                                              0x00fd3861
                                                                                                                                                              0x00fd37f7
                                                                                                                                                              0x00fd37f7
                                                                                                                                                              0x00fd37fc
                                                                                                                                                              0x00fd3802
                                                                                                                                                              0x00fd3807
                                                                                                                                                              0x00fd380c
                                                                                                                                                              0x00fd3812
                                                                                                                                                              0x00fd3814
                                                                                                                                                              0x00fd381a
                                                                                                                                                              0x00fd381d
                                                                                                                                                              0x00fd3824
                                                                                                                                                              0x00fd3824
                                                                                                                                                              0x00fd381d
                                                                                                                                                              0x00fd3829
                                                                                                                                                              0x00fd382f
                                                                                                                                                              0x00fd3834
                                                                                                                                                              0x00fd383a
                                                                                                                                                              0x00fd383d
                                                                                                                                                              0x00fd3844
                                                                                                                                                              0x00fd3844
                                                                                                                                                              0x00fd383d
                                                                                                                                                              0x00fd3847
                                                                                                                                                              0x00fd384a
                                                                                                                                                              0x00fd384e
                                                                                                                                                              0x00fd3850
                                                                                                                                                              0x00fd3854
                                                                                                                                                              0x00fd3854
                                                                                                                                                              0x00fd384e
                                                                                                                                                              0x00fd3868
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00fd3794

                                                                                                                                                              APIs
                                                                                                                                                              • _malloc.LIBCMT ref: 00FD3799
                                                                                                                                                                • Part of subcall function 00FD5ECE: __FF_MSGBANNER.LIBCMT ref: 00FD5EF1
                                                                                                                                                                • Part of subcall function 00FD5ECE: __NMSG_WRITE.LIBCMT ref: 00FD5EF8
                                                                                                                                                                • Part of subcall function 00FD5ECE: RtlAllocateHeap.NTDLL(00000000,00FD378F,?,?,?,?,00FD379E,00FD1210,?,00FD1210,00002000), ref: 00FD5F45
                                                                                                                                                              • std::bad_alloc::bad_alloc.LIBCMT ref: 00FD37BC
                                                                                                                                                                • Part of subcall function 00FD3715: std::exception::exception.LIBCMT ref: 00FD3721
                                                                                                                                                              • std::bad_exception::bad_exception.LIBCMT ref: 00FD37D0
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.247692684.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.247687326.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247711949.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247812016.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247819246.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247825913.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_fd0000_ChromeFIX_errorMEM.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: AllocateHeap_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                                                                              • String ID: P'
                                                                                                                                                              • API String ID: 832318072-1918376585
                                                                                                                                                              • Opcode ID: 3e181f2c66c1e0f829badccbbfd0f479c4b353a81457ac2a0fd5cd0c8241c14e
                                                                                                                                                              • Instruction ID: d91a5cfb0b8ac918e830e5daf45f9c7f0128ab303d95c0c2d19c61fda4228b3d
                                                                                                                                                              • Opcode Fuzzy Hash: 3e181f2c66c1e0f829badccbbfd0f479c4b353a81457ac2a0fd5cd0c8241c14e
                                                                                                                                                              • Instruction Fuzzy Hash: B5F0E0F2908A0923CB1577A1DC4696D3B9B5B40B78F1C0027FD4555382DF65EB45B293
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 00FDBBDC Relevance: 6.1, APIs: 4, Instructions: 93memoryCOMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 107 fdbbdc-fdbbef call fd59d4 110 fdbc1f-fdbc2a 107->110 111 fdbbf1-fdbbfe 107->111 112 fdbc2c-fdbc2e 110->112 113 fdbc2f-fdbc37 110->113 111->110 114 fdbc00-fdbc15 call fd7375 call fd6b8c 111->114 112->113 115 fdbc39-fdbc40 113->115 116 fdbca2-fdbca4 113->116 135 fdbc18-fdbc1a 114->135 120 fdbc8d-fdbc8f 115->120 121 fdbc42-fdbc54 115->121 118 fdbca6-fdbcac 116->118 119 fdbcf2 116->119 125 fdbcae-fdbcb7 call fd5fa7 118->125 126 fdbce1-fdbce3 118->126 128 fdbcf4-fdbcf9 call fd5a19 119->128 120->119 124 fdbc91-fdbca0 RtlAllocateHeap 120->124 121->120 127 fdbc56-fdbc7e call fd79f8 call fd8a22 call fdbcd8 121->127 124->116 125->113 139 fdbcbd-fdbcc2 125->139 126->119 133 fdbce5-fdbcea 126->133 127->124 145 fdbc80-fdbc8a call fd7690 127->145 133->119 138 fdbcec 133->138 135->128 138->119 139->135 141 fdbcc8-fdbcce 139->141 141->135 145->120
                                                                                                                                                              C-Code - Quality: 75%
                                                                                                                                                              			E00FDBBDC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t21;
				long _t23;
				long _t24;
				void* _t25;
				long _t31;
				signed int _t32;
				signed int _t33;
				signed int _t39;
				signed int _t45;
				long _t49;
				void* _t52;
				void* _t53;

				_push(0xc);
				_push(0xfdf598);
				E00FD59D4(__ebx, __edi, __esi);
				_t39 =  *(_t52 + 8);
				if(_t39 <= 0) {
					L4:
					_t49 = _t39 *  *(_t52 + 0xc);
					 *(_t52 + 8) = _t49;
					__eflags = _t49;
					if(_t49 == 0) {
						_t49 = 1;
						__eflags = 1;
					}
					do {
						_t38 = 0;
						 *(_t52 - 0x1c) = 0;
						__eflags = _t49 - 0xffffffe0;
						if(_t49 > 0xffffffe0) {
							L13:
							__eflags = _t38;
							if(_t38 != 0) {
								L21:
								_t21 = _t38;
								L22:
								return E00FD5A19(_t21);
							}
							__eflags =  *0x100da7c; // 0x0
							if(__eflags == 0) {
								__eflags = _t38;
								if(_t38 == 0) {
									_t23 =  *(_t52 + 0x10);
									__eflags = _t23;
									if(_t23 != 0) {
										 *_t23 = 0xc;
									}
								}
								goto L21;
							}
							goto L15;
						}
						__eflags =  *0x100dec8 - 3;
						if( *0x100dec8 != 3) {
							L11:
							__eflags = _t38;
							if(_t38 != 0) {
								goto L21;
							}
							L12:
							_t25 = RtlAllocateHeap( *0x100d88c, 8, _t49); // executed
							_t38 = _t25;
							goto L13;
						}
						_t49 = _t49 + 0x0000000f & 0xfffffff0;
						 *(_t52 + 0xc) = _t49;
						__eflags =  *(_t52 + 8) -  *0x100deb4; // 0x0
						if(__eflags > 0) {
							goto L11;
						}
						E00FD79F8(0, 0, 4);
						 *((intOrPtr*)(_t52 - 4)) = 0;
						_push( *(_t52 + 8));
						 *(_t52 - 0x1c) = E00FD8A22();
						 *((intOrPtr*)(_t52 - 4)) = 0xfffffffe;
						E00FDBCD8();
						_t38 =  *(_t52 - 0x1c);
						__eflags = _t38;
						if(_t38 == 0) {
							goto L12;
						}
						E00FD7690(0, _t38, 0,  *(_t52 + 8));
						_t53 = _t53 + 0xc;
						goto L11;
						L15:
						_t24 = E00FD5FA7(_t49);
						__eflags = _t24;
					} while (_t24 != 0);
					_t31 =  *(_t52 + 0x10);
					__eflags = _t31;
					if(_t31 != 0) {
						 *_t31 = 0xc;
					}
					L3:
					_t21 = 0;
					goto L22;
				}
				_t32 = 0xffffffe0;
				_t33 = _t32 / _t39;
				_t45 = _t32 % _t39;
				asm("sbb eax, eax");
				_t58 = _t33 + 1;
				if(_t33 + 1 != 0) {
					goto L4;
				} else {
					 *((intOrPtr*)(E00FD7375(_t58))) = 0xc;
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00FD6B8C(_t45, 0, __esi);
					goto L3;
				}
			}















                                                                                                                                                              0x00fdbbdc
                                                                                                                                                              0x00fdbbde
                                                                                                                                                              0x00fdbbe3
                                                                                                                                                              0x00fdbbe8
                                                                                                                                                              0x00fdbbef
                                                                                                                                                              0x00fdbc1f
                                                                                                                                                              0x00fdbc23
                                                                                                                                                              0x00fdbc25
                                                                                                                                                              0x00fdbc28
                                                                                                                                                              0x00fdbc2a
                                                                                                                                                              0x00fdbc2e
                                                                                                                                                              0x00fdbc2e
                                                                                                                                                              0x00fdbc2e
                                                                                                                                                              0x00fdbc2f
                                                                                                                                                              0x00fdbc2f
                                                                                                                                                              0x00fdbc31
                                                                                                                                                              0x00fdbc34
                                                                                                                                                              0x00fdbc37
                                                                                                                                                              0x00fdbca2
                                                                                                                                                              0x00fdbca2
                                                                                                                                                              0x00fdbca4
                                                                                                                                                              0x00fdbcf2
                                                                                                                                                              0x00fdbcf2
                                                                                                                                                              0x00fdbcf4
                                                                                                                                                              0x00fdbcf9
                                                                                                                                                              0x00fdbcf9
                                                                                                                                                              0x00fdbca6
                                                                                                                                                              0x00fdbcac
                                                                                                                                                              0x00fdbce1
                                                                                                                                                              0x00fdbce3
                                                                                                                                                              0x00fdbce5
                                                                                                                                                              0x00fdbce8
                                                                                                                                                              0x00fdbcea
                                                                                                                                                              0x00fdbcec
                                                                                                                                                              0x00fdbcec
                                                                                                                                                              0x00fdbcea
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00fdbce3
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00fdbcac
                                                                                                                                                              0x00fdbc39
                                                                                                                                                              0x00fdbc40
                                                                                                                                                              0x00fdbc8d
                                                                                                                                                              0x00fdbc8d
                                                                                                                                                              0x00fdbc8f
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00fdbc91
                                                                                                                                                              0x00fdbc9a
                                                                                                                                                              0x00fdbca0
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00fdbca0
                                                                                                                                                              0x00fdbc45
                                                                                                                                                              0x00fdbc48
                                                                                                                                                              0x00fdbc4e
                                                                                                                                                              0x00fdbc54
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00fdbc58
                                                                                                                                                              0x00fdbc5e
                                                                                                                                                              0x00fdbc61
                                                                                                                                                              0x00fdbc6a
                                                                                                                                                              0x00fdbc6d
                                                                                                                                                              0x00fdbc74
                                                                                                                                                              0x00fdbc79
                                                                                                                                                              0x00fdbc7c
                                                                                                                                                              0x00fdbc7e
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00fdbc85
                                                                                                                                                              0x00fdbc8a
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00fdbcae
                                                                                                                                                              0x00fdbcaf
                                                                                                                                                              0x00fdbcb5
                                                                                                                                                              0x00fdbcb5
                                                                                                                                                              0x00fdbcbd
                                                                                                                                                              0x00fdbcc0
                                                                                                                                                              0x00fdbcc2
                                                                                                                                                              0x00fdbcc8
                                                                                                                                                              0x00fdbcc8
                                                                                                                                                              0x00fdbc18
                                                                                                                                                              0x00fdbc18
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00fdbc18
                                                                                                                                                              0x00fdbbf3
                                                                                                                                                              0x00fdbbf6
                                                                                                                                                              0x00fdbbf6
                                                                                                                                                              0x00fdbbfb
                                                                                                                                                              0x00fdbbfd
                                                                                                                                                              0x00fdbbfe
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00fdbc00
                                                                                                                                                              0x00fdbc05
                                                                                                                                                              0x00fdbc0b
                                                                                                                                                              0x00fdbc0c
                                                                                                                                                              0x00fdbc0d
                                                                                                                                                              0x00fdbc0e
                                                                                                                                                              0x00fdbc0f
                                                                                                                                                              0x00fdbc10
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00fdbc15

                                                                                                                                                              APIs
                                                                                                                                                              • __lock.LIBCMT ref: 00FDBC58
                                                                                                                                                              • ___sbh_alloc_block.LIBCMT ref: 00FDBC64
                                                                                                                                                              • _memset.LIBCMT ref: 00FDBC85
                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000008,?,00FDF598,0000000C,00FD8154,00FD379E,?,00000000,00000000,00000000,?,00FD567D,00000001,00000214,?,00FD379E), ref: 00FDBC9A
                                                                                                                                                                • Part of subcall function 00FD7375: __getptd_noexit.LIBCMT ref: 00FD7375
                                                                                                                                                                • Part of subcall function 00FD6B8C: __decode_pointer.LIBCMT ref: 00FD6B97
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.247692684.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.247687326.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247711949.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247812016.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247819246.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247825913.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_fd0000_ChromeFIX_errorMEM.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: AllocateHeap___sbh_alloc_block__decode_pointer__getptd_noexit__lock_memset
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 3771094184-0
                                                                                                                                                              • Opcode ID: e3ac2acf2e37d64f70531d176207ec01b2cfa7fee9769b8d80e3e557860839b3
                                                                                                                                                              • Instruction ID: 6d362462e319db415c658c0b8b552f1dd3cae52c2ca77f0c4c36f6745a69feb3
                                                                                                                                                              • Opcode Fuzzy Hash: e3ac2acf2e37d64f70531d176207ec01b2cfa7fee9769b8d80e3e557860839b3
                                                                                                                                                              • Instruction Fuzzy Hash: 7521D272D10614DACB21AFA88C80A6D7763FB84770F6E8217F8559B381EF358D80BB50
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 00FD2D90 Relevance: 2.0, APIs: 1, Instructions: 519COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 148 fd2d90-fd3182 ShowScrollBar call fd1270 150 fd3187-fd318f 148->150
                                                                                                                                                              APIs
                                                                                                                                                              • ShowScrollBar.USER32(?,000000E6,00000000,00000058), ref: 00FD317C
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.247692684.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.247687326.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247711949.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247812016.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247819246.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247825913.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_fd0000_ChromeFIX_errorMEM.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: ScrollShow
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 3611344627-0
                                                                                                                                                              • Opcode ID: 060bd17f9d27b7e8e1c9587b57c90eb1748b9a321e125f1f44a23ce812f1fa4f
                                                                                                                                                              • Instruction ID: 6e729b2fcd0bcd16030a6e4ab2de95885c51e72ab4a842a80dbbca38df28a644
                                                                                                                                                              • Opcode Fuzzy Hash: 060bd17f9d27b7e8e1c9587b57c90eb1748b9a321e125f1f44a23ce812f1fa4f
                                                                                                                                                              • Instruction Fuzzy Hash: 64B1F577F616391ED31B88B98C96E18494763E5D56F0ADB39C834DF2C9CEB18A0B81C1
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 00FD59A1 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 151 fd59a1-fd59c3 HeapCreate 152 fd59c5-fd59c6 151->152 153 fd59c7-fd59d0 151->153
                                                                                                                                                              C-Code - Quality: 100%
                                                                                                                                                              			E00FD59A1(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x100d88c = _t6;
				if(_t6 != 0) {
					 *0x100dec8 = 1;
					return 1;
				} else {
					return _t6;
				}
			}




                                                                                                                                                              0x00fd59b6
                                                                                                                                                              0x00fd59bc
                                                                                                                                                              0x00fd59c3
                                                                                                                                                              0x00fd59ca
                                                                                                                                                              0x00fd59d0
                                                                                                                                                              0x00fd59c6
                                                                                                                                                              0x00fd59c6
                                                                                                                                                              0x00fd59c6

                                                                                                                                                              APIs
                                                                                                                                                              • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00FD59B6
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.247692684.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.247687326.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247711949.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247812016.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247819246.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247825913.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_fd0000_ChromeFIX_errorMEM.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: CreateHeap
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 10892065-0
                                                                                                                                                              • Opcode ID: 3b30cb9ddc1c602297e14cb23c58d096c96f25ffea5d6ae5fa5086c45a1ba62b
                                                                                                                                                              • Instruction ID: 8569832eab36b1d52f2430ed18d88e3ecb57535df54cedd1a17bd9e4310f78ad
                                                                                                                                                              • Opcode Fuzzy Hash: 3b30cb9ddc1c602297e14cb23c58d096c96f25ffea5d6ae5fa5086c45a1ba62b
                                                                                                                                                              • Instruction Fuzzy Hash: CFD05E729503489ADB116FF16C087263BEC93847A5F148437F84CC6144FA75D941AB20
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 00FD5476 Relevance: 1.5, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 154 fd5476-fd5478 call fd5404 156 fd547d-fd547e 154->156
                                                                                                                                                              C-Code - Quality: 100%
                                                                                                                                                              			E00FD5476() {
				void* _t1;

				_t1 = E00FD5404(0); // executed
				return _t1;
			}




                                                                                                                                                              0x00fd5478
                                                                                                                                                              0x00fd547e

                                                                                                                                                              APIs
                                                                                                                                                              • __encode_pointer.LIBCMT ref: 00FD5478
                                                                                                                                                                • Part of subcall function 00FD5404: TlsGetValue.KERNEL32(00000000,?,00FD547D,00000000,00FD7E2C,0100D458,00000000,00000314,?,00FD4B24,0100D458,Microsoft Visual C++ Runtime Library,00012010), ref: 00FD5416
                                                                                                                                                                • Part of subcall function 00FD5404: TlsGetValue.KERNEL32(00000006,?,00FD547D,00000000,00FD7E2C,0100D458,00000000,00000314,?,00FD4B24,0100D458,Microsoft Visual C++ Runtime Library,00012010), ref: 00FD542D
                                                                                                                                                                • Part of subcall function 00FD5404: RtlEncodePointer.NTDLL(00000000,?,00FD547D,00000000,00FD7E2C,0100D458,00000000,00000314,?,00FD4B24,0100D458,Microsoft Visual C++ Runtime Library,00012010), ref: 00FD546B
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.247692684.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.247687326.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247711949.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247812016.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247819246.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247825913.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_fd0000_ChromeFIX_errorMEM.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: Value$EncodePointer__encode_pointer
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 2585649348-0
                                                                                                                                                              • Opcode ID: 71942792d15c9b5150c38948c2409daeb3ff3c2c62eb2f73b3486ef3324c9791
                                                                                                                                                              • Instruction ID: 942afb8038ebf4a85ce4555320756580a3372dc4ea8e0e720e9f44502c7b42fe
                                                                                                                                                              • Opcode Fuzzy Hash: 71942792d15c9b5150c38948c2409daeb3ff3c2c62eb2f73b3486ef3324c9791
                                                                                                                                                              • Instruction Fuzzy Hash:
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 00FD1200 Relevance: 1.3, APIs: 1, Instructions: 35COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              C-Code - Quality: 88%
                                                                                                                                                              			E00FD1200(void* __ebx, void* __edi, char* _a4, intOrPtr _a8) {
				short* _v8;
				short* _v12;
				short* _v16;
				void* __ebp;
				short* _t12;
				void* _t23;
				void* _t27;
				void* _t32;

				_t26 = __edi;
				_t20 = __ebx;
				_t12 = E00FD3190(__ebx, _t23, __edi, _t32, 0x2000); // executed
				_v12 = _t12;
				_v8 = _v12;
				MultiByteToWideChar(0, 0, _a4, 0xffffffff, _v8, 0x1000);
				E00FD3220(__ebx, __edi, _t27, _a8, _v8, 0x1000);
				_v16 = _v8;
				_push(_v16);
				E00FD3585(_t20, _v8, _t26, _t27, _t32);
				return _a8;
			}











                                                                                                                                                              0x00fd1200
                                                                                                                                                              0x00fd1200
                                                                                                                                                              0x00fd120b
                                                                                                                                                              0x00fd1213
                                                                                                                                                              0x00fd1219
                                                                                                                                                              0x00fd122f
                                                                                                                                                              0x00fd1242
                                                                                                                                                              0x00fd124d
                                                                                                                                                              0x00fd1253
                                                                                                                                                              0x00fd1254
                                                                                                                                                              0x00fd1262

                                                                                                                                                              APIs
                                                                                                                                                                • Part of subcall function 00FD3190: _malloc.LIBCMT ref: 00FD3799
                                                                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001000), ref: 00FD122F
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.247692684.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.247687326.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247711949.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247812016.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247819246.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247825913.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_fd0000_ChromeFIX_errorMEM.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: ByteCharMultiWide_malloc
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 2241198742-0
                                                                                                                                                              • Opcode ID: 5f167c210e3dc234dcea04e1e77661c71dffc3075a9ceda9959ed72823d4982d
                                                                                                                                                              • Instruction ID: dbb57814ac28944cbcfcc6c63dd2f939840d7c60ff9671b5191d59ee5b9ab739
                                                                                                                                                              • Opcode Fuzzy Hash: 5f167c210e3dc234dcea04e1e77661c71dffc3075a9ceda9959ed72823d4982d
                                                                                                                                                              • Instruction Fuzzy Hash: F5F012B9E00208BBDB00DFD4DC46F9EB7759B48711F148155FA189B3C5E571AB109B92
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Non-executed Functions

                                                                                                                                                              Function 00FD7594 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              C-Code - Quality: 85%
                                                                                                                                                              			E00FD7594(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x100cd20; // 0x4d1cadd2
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x100db98 = _t6;
				 *0x100db94 = _t22;
				 *0x100db90 = _t25;
				 *0x100db8c = _t21;
				 *0x100db88 = _t27;
				 *0x100db84 = _t26;
				 *0x100dbb0 = ss;
				 *0x100dba4 = cs;
				 *0x100db80 = ds;
				 *0x100db7c = es;
				 *0x100db78 = fs;
				 *0x100db74 = gs;
				asm("pushfd");
				_pop( *0x100dba8);
				 *0x100db9c =  *_t31;
				 *0x100dba0 = _v0;
				 *0x100dbac =  &_a4;
				 *0x100dae8 = 0x10001;
				_t11 =  *0x100dba0; // 0x0
				 *0x100da9c = _t11;
				 *0x100da90 = 0xc0000409;
				 *0x100da94 = 1;
				_t12 =  *0x100cd20; // 0x4d1cadd2
				_v812 = _t12;
				_t13 =  *0x100cd24; // 0xb2e3522d
				_v808 = _t13;
				 *0x100dae0 = IsDebuggerPresent();
				_push(1);
				E00FD9900(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0xfdea84);
				if( *0x100dae0 == 0) {
					_push(1);
					E00FD9900(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



















                                                                                                                                                              0x00fd7594
                                                                                                                                                              0x00fd7594
                                                                                                                                                              0x00fd7594
                                                                                                                                                              0x00fd7594
                                                                                                                                                              0x00fd7594
                                                                                                                                                              0x00fd7594
                                                                                                                                                              0x00fd7594
                                                                                                                                                              0x00fd759a
                                                                                                                                                              0x00fd759c
                                                                                                                                                              0x00fd759c
                                                                                                                                                              0x00fdb4a7
                                                                                                                                                              0x00fdb4ac
                                                                                                                                                              0x00fdb4b2
                                                                                                                                                              0x00fdb4b8
                                                                                                                                                              0x00fdb4be
                                                                                                                                                              0x00fdb4c4
                                                                                                                                                              0x00fdb4ca
                                                                                                                                                              0x00fdb4d1
                                                                                                                                                              0x00fdb4d8
                                                                                                                                                              0x00fdb4df
                                                                                                                                                              0x00fdb4e6
                                                                                                                                                              0x00fdb4ed
                                                                                                                                                              0x00fdb4f4
                                                                                                                                                              0x00fdb4f5
                                                                                                                                                              0x00fdb4fe
                                                                                                                                                              0x00fdb506
                                                                                                                                                              0x00fdb50e
                                                                                                                                                              0x00fdb519
                                                                                                                                                              0x00fdb523
                                                                                                                                                              0x00fdb528
                                                                                                                                                              0x00fdb52d
                                                                                                                                                              0x00fdb537
                                                                                                                                                              0x00fdb541
                                                                                                                                                              0x00fdb546
                                                                                                                                                              0x00fdb54c
                                                                                                                                                              0x00fdb551
                                                                                                                                                              0x00fdb55d
                                                                                                                                                              0x00fdb562
                                                                                                                                                              0x00fdb564
                                                                                                                                                              0x00fdb56c
                                                                                                                                                              0x00fdb577
                                                                                                                                                              0x00fdb584
                                                                                                                                                              0x00fdb586
                                                                                                                                                              0x00fdb588
                                                                                                                                                              0x00fdb58d
                                                                                                                                                              0x00fdb5a1

                                                                                                                                                              APIs
                                                                                                                                                              • IsDebuggerPresent.KERNEL32 ref: 00FDB557
                                                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FDB56C
                                                                                                                                                              • UnhandledExceptionFilter.KERNEL32(00FDEA84), ref: 00FDB577
                                                                                                                                                              • GetCurrentProcess.KERNEL32(C0000409), ref: 00FDB593
                                                                                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 00FDB59A
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.247692684.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.247687326.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247711949.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247812016.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247819246.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247825913.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_fd0000_ChromeFIX_errorMEM.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 2579439406-0
                                                                                                                                                              • Opcode ID: d30fe3eb96aa9d1a2f3a9ba7df84fd3552502f672df9b675fd1811affdc30488
                                                                                                                                                              • Instruction ID: 842927ded2129e291e1d0a4279dadf4875101a07e0111f3261495fc062e2c659
                                                                                                                                                              • Opcode Fuzzy Hash: d30fe3eb96aa9d1a2f3a9ba7df84fd3552502f672df9b675fd1811affdc30488
                                                                                                                                                              • Instruction Fuzzy Hash: 0E2149B8805708DFD722EFE8F9596047BF5FB48310F10001AE58887348E7BA5581EF26
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 00FD466F Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              C-Code - Quality: 100%
                                                                                                                                                              			E00FD466F() {

				SetUnhandledExceptionFilter(E00FD462D);
				return 0;
			}



                                                                                                                                                              0x00fd4674
                                                                                                                                                              0x00fd467c

                                                                                                                                                              APIs
                                                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_0000462D), ref: 00FD4674
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.247692684.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.247687326.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247711949.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247812016.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247819246.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247825913.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_fd0000_ChromeFIX_errorMEM.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 3192549508-0
                                                                                                                                                              • Opcode ID: 756b111400cbb922a36b631015b4265b847989e68715a66ed9f58a5eaf492f86
                                                                                                                                                              • Instruction ID: 9c9abb701ccfd429138dc5210eb1f5bdcf9c5dad3213d229600a251044c04764
                                                                                                                                                              • Opcode Fuzzy Hash: 756b111400cbb922a36b631015b4265b847989e68715a66ed9f58a5eaf492f86
                                                                                                                                                              • Instruction Fuzzy Hash: 7F9002E4A5314457460017705C4D4097E925A8D627F4504526006C4158DA60D0457912
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0100BD54 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.247812016.000000000100B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.247687326.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247692684.0000000000FD1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247711949.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247819246.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247825913.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_fd0000_ChromeFIX_errorMEM.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 6d0bfc2ef7b64e396843138ab717a1f3c293dc8ee292486fa54476fd2f3b6864
                                                                                                                                                              • Instruction ID: c06ab3902bbabfd3d5535a10fa842aabaa65a159fdf299bf035b181d4a035bb4
                                                                                                                                                              • Opcode Fuzzy Hash: 6d0bfc2ef7b64e396843138ab717a1f3c293dc8ee292486fa54476fd2f3b6864
                                                                                                                                                              • Instruction Fuzzy Hash: 87E0DF3A2201149BD772AA09C800D82F7E9FF94AB0B054462ED8883620D630FC00C6D0
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 00FD556B Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              C-Code - Quality: 93%
                                                                                                                                                              			E00FD556B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t46;
				void* _t47;

				_t35 = __ebx;
				_push(0xc);
				_push(0xfdf3a8);
				E00FD59D4(__ebx, __edi, __esi);
				_t45 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E00FD467D(_t45);
				}
				 *(_t47 - 0x1c) = _t23;
				_t46 =  *((intOrPtr*)(_t47 + 8));
				 *((intOrPtr*)(_t46 + 0x5c)) = 0xfddf10;
				 *((intOrPtr*)(_t46 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t46 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t46 + 0x1fc)) = GetProcAddress( *(_t47 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t46 + 0x70)) = 1;
				 *((char*)(_t46 + 0xc8)) = 0x43;
				 *((char*)(_t46 + 0x14b)) = 0x43;
				 *(_t46 + 0x68) = 0x100c590;
				E00FD79F8(_t35, 1, 0xd);
				 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
				_t14 = _t46 + 0x68; // 0x44e8968
				InterlockedIncrement( *_t14);
				 *(_t47 - 4) = 0xfffffffe;
				E00FD5640();
				E00FD79F8(_t35, 1, 0xc);
				 *(_t47 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t47 + 0xc));
				 *((intOrPtr*)(_t46 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x100cb98; // 0x100cac0
					 *((intOrPtr*)(_t46 + 0x6c)) = _t32;
				}
				_t20 = _t46 + 0x6c; // 0xd3b0e8b
				E00FD6879( *_t20);
				 *(_t47 - 4) = 0xfffffffe;
				return E00FD5A19(E00FD5649());
			}








                                                                                                                                                              0x00fd556b
                                                                                                                                                              0x00fd556b
                                                                                                                                                              0x00fd556d
                                                                                                                                                              0x00fd5572
                                                                                                                                                              0x00fd5577
                                                                                                                                                              0x00fd557d
                                                                                                                                                              0x00fd5585
                                                                                                                                                              0x00fd5588
                                                                                                                                                              0x00fd558d
                                                                                                                                                              0x00fd558e
                                                                                                                                                              0x00fd5591
                                                                                                                                                              0x00fd5594
                                                                                                                                                              0x00fd559e
                                                                                                                                                              0x00fd55a3
                                                                                                                                                              0x00fd55ab
                                                                                                                                                              0x00fd55b3
                                                                                                                                                              0x00fd55c3
                                                                                                                                                              0x00fd55c3
                                                                                                                                                              0x00fd55c9
                                                                                                                                                              0x00fd55cc
                                                                                                                                                              0x00fd55d3
                                                                                                                                                              0x00fd55da
                                                                                                                                                              0x00fd55e3
                                                                                                                                                              0x00fd55e9
                                                                                                                                                              0x00fd55ed
                                                                                                                                                              0x00fd55f0
                                                                                                                                                              0x00fd55f6
                                                                                                                                                              0x00fd55fd
                                                                                                                                                              0x00fd5604
                                                                                                                                                              0x00fd560a
                                                                                                                                                              0x00fd560d
                                                                                                                                                              0x00fd5610
                                                                                                                                                              0x00fd5615
                                                                                                                                                              0x00fd5617
                                                                                                                                                              0x00fd561c
                                                                                                                                                              0x00fd561c
                                                                                                                                                              0x00fd561f
                                                                                                                                                              0x00fd5622
                                                                                                                                                              0x00fd5628
                                                                                                                                                              0x00fd5639

                                                                                                                                                              APIs
                                                                                                                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00FDF3A8,0000000C,00FD56A6,00000000,00000000,?,00FD379E,00FD737A,00FD5F8D,?,?,00FD379E,00FD1210,?,00FD1210), ref: 00FD557D
                                                                                                                                                              • __crt_waiting_on_module_handle.LIBCMT ref: 00FD5588
                                                                                                                                                                • Part of subcall function 00FD467D: Sleep.KERNEL32(000003E8,?,?,00FD54CE,KERNEL32.DLL,?,00FD5FB7,?,00FD5F87,00FD379E,?,?,00FD379E,00FD1210,?,00FD1210), ref: 00FD4689
                                                                                                                                                                • Part of subcall function 00FD467D: GetModuleHandleW.KERNEL32(00FD379E,?,?,00FD54CE,KERNEL32.DLL,?,00FD5FB7,?,00FD5F87,00FD379E,?,?,00FD379E,00FD1210,?,00FD1210), ref: 00FD4692
                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00FD55B1
                                                                                                                                                              • GetProcAddress.KERNEL32(00FD379E,DecodePointer), ref: 00FD55C1
                                                                                                                                                              • __lock.LIBCMT ref: 00FD55E3
                                                                                                                                                              • InterlockedIncrement.KERNEL32(044E8968), ref: 00FD55F0
                                                                                                                                                              • __lock.LIBCMT ref: 00FD5604
                                                                                                                                                              • ___addlocaleref.LIBCMT ref: 00FD5622
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.247692684.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.247687326.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247711949.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247812016.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247819246.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247825913.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_fd0000_ChromeFIX_errorMEM.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                                                                                                                                              • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                                                                                                                              • API String ID: 1028249917-2843748187
                                                                                                                                                              • Opcode ID: 09d032cf3fcd6f9bbf7699963117eaa97eee99a08b6cf3fcea3e64bc3647c513
                                                                                                                                                              • Instruction ID: 20cf535116bced85bf3df19277fa7388d06718433569922c69acaa967128fde0
                                                                                                                                                              • Opcode Fuzzy Hash: 09d032cf3fcd6f9bbf7699963117eaa97eee99a08b6cf3fcea3e64bc3647c513
                                                                                                                                                              • Instruction Fuzzy Hash: 5911D272845B04DFD710AF39DC01B59BBE2AF04724F184A1BE49A973A0CB78D900EF15
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 00FD6273 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              C-Code - Quality: 89%
                                                                                                                                                              			E00FD6273(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0xfdf438);
				E00FD59D4(__ebx, __edi, __esi);
				_t31 = E00FD56CB(__ebx, _t35);
				_t15 =  *0x100cab4; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00FD79F8(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x100c9b8; // 0x29e1608
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x100c590;
								if(__eflags != 0) {
									_push(_t33);
									E00FD77A4(_t25, _t29, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x100c9b8; // 0x29e1608
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x100c9b8; // 0x29e1608
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00FD630E();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E00FD46AD(_t29, 0x20);
				}
				return E00FD5A19(_t33);
			}











                                                                                                                                                              0x00fd6273
                                                                                                                                                              0x00fd6273
                                                                                                                                                              0x00fd6273
                                                                                                                                                              0x00fd6273
                                                                                                                                                              0x00fd6275
                                                                                                                                                              0x00fd627a
                                                                                                                                                              0x00fd6284
                                                                                                                                                              0x00fd6286
                                                                                                                                                              0x00fd628e
                                                                                                                                                              0x00fd62af
                                                                                                                                                              0x00fd62b5
                                                                                                                                                              0x00fd62b9
                                                                                                                                                              0x00fd62bc
                                                                                                                                                              0x00fd62bf
                                                                                                                                                              0x00fd62c5
                                                                                                                                                              0x00fd62c7
                                                                                                                                                              0x00fd62c9
                                                                                                                                                              0x00fd62cc
                                                                                                                                                              0x00fd62d2
                                                                                                                                                              0x00fd62d4
                                                                                                                                                              0x00fd62d6
                                                                                                                                                              0x00fd62dc
                                                                                                                                                              0x00fd62de
                                                                                                                                                              0x00fd62df
                                                                                                                                                              0x00fd62e4
                                                                                                                                                              0x00fd62dc
                                                                                                                                                              0x00fd62d4
                                                                                                                                                              0x00fd62e5
                                                                                                                                                              0x00fd62ea
                                                                                                                                                              0x00fd62ed
                                                                                                                                                              0x00fd62f3
                                                                                                                                                              0x00fd62f7
                                                                                                                                                              0x00fd62f7
                                                                                                                                                              0x00fd62fd
                                                                                                                                                              0x00fd6304
                                                                                                                                                              0x00fd6296
                                                                                                                                                              0x00fd6296
                                                                                                                                                              0x00fd6296
                                                                                                                                                              0x00fd629b
                                                                                                                                                              0x00fd629f
                                                                                                                                                              0x00fd62a4
                                                                                                                                                              0x00fd62ac

                                                                                                                                                              APIs
                                                                                                                                                              • __getptd.LIBCMT ref: 00FD627F
                                                                                                                                                                • Part of subcall function 00FD56CB: __getptd_noexit.LIBCMT ref: 00FD56CE
                                                                                                                                                                • Part of subcall function 00FD56CB: __amsg_exit.LIBCMT ref: 00FD56DB
                                                                                                                                                              • __amsg_exit.LIBCMT ref: 00FD629F
                                                                                                                                                              • __lock.LIBCMT ref: 00FD62AF
                                                                                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 00FD62CC
                                                                                                                                                              • InterlockedIncrement.KERNEL32(029E1608), ref: 00FD62F7
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.247692684.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.247687326.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247711949.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247812016.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247819246.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247825913.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_fd0000_ChromeFIX_errorMEM.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 4271482742-0
                                                                                                                                                              • Opcode ID: 2061d5606a4a661027cc2dce8d303cb373e514ffa0ae6f9f3a3c06ea890678f8
                                                                                                                                                              • Instruction ID: 8dc264f2f30caf53456070a7aaa50dae239ff50da90f6825c851cdbe9a130040
                                                                                                                                                              • Opcode Fuzzy Hash: 2061d5606a4a661027cc2dce8d303cb373e514ffa0ae6f9f3a3c06ea890678f8
                                                                                                                                                              • Instruction Fuzzy Hash: 6001C432D01A11ABDF21AF64990975D7362AF48721F0C0257F410E7781C739AC41FBD5
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 00FD77A4 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              C-Code - Quality: 43%
                                                                                                                                                              			E00FD77A4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t24;
				void* _t26;

				_push(0xc);
				_push(0xfdf498);
				_t8 = E00FD59D4(__ebx, __edi, __esi);
				_t24 =  *((intOrPtr*)(_t26 + 8));
				if(_t24 == 0) {
					L9:
					return E00FD5A19(_t8);
				}
				if( *0x100dec8 != 3) {
					_push(_t24);
					L7:
					_t8 = HeapFree( *0x100d88c, 0, ??);
					_t32 = _t8;
					if(_t8 == 0) {
						_t10 = E00FD7375(_t32);
						 *_t10 = E00FD7333(GetLastError());
					}
					goto L9;
				}
				E00FD79F8(__ebx, __edi, 4);
				 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
				_t13 = E00FD8243(_t24);
				 *((intOrPtr*)(_t26 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t24);
					_push(_t13);
					E00FD8273();
				}
				 *(_t26 - 4) = 0xfffffffe;
				_t8 = E00FD77FA();
				if( *((intOrPtr*)(_t26 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t26 + 8)));
					goto L7;
				}
			}







                                                                                                                                                              0x00fd77a4
                                                                                                                                                              0x00fd77a6
                                                                                                                                                              0x00fd77ab
                                                                                                                                                              0x00fd77b0
                                                                                                                                                              0x00fd77b5
                                                                                                                                                              0x00fd782c
                                                                                                                                                              0x00fd7831
                                                                                                                                                              0x00fd7831
                                                                                                                                                              0x00fd77be
                                                                                                                                                              0x00fd7803
                                                                                                                                                              0x00fd7804
                                                                                                                                                              0x00fd780c
                                                                                                                                                              0x00fd7812
                                                                                                                                                              0x00fd7814
                                                                                                                                                              0x00fd7816
                                                                                                                                                              0x00fd7829
                                                                                                                                                              0x00fd782b
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00fd7814
                                                                                                                                                              0x00fd77c2
                                                                                                                                                              0x00fd77c8
                                                                                                                                                              0x00fd77cd
                                                                                                                                                              0x00fd77d3
                                                                                                                                                              0x00fd77d8
                                                                                                                                                              0x00fd77da
                                                                                                                                                              0x00fd77db
                                                                                                                                                              0x00fd77dc
                                                                                                                                                              0x00fd77e2
                                                                                                                                                              0x00fd77e3
                                                                                                                                                              0x00fd77ea
                                                                                                                                                              0x00fd77f3
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00fd77f5
                                                                                                                                                              0x00fd77f5
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00fd77f5

                                                                                                                                                              APIs
                                                                                                                                                              • __lock.LIBCMT ref: 00FD77C2
                                                                                                                                                                • Part of subcall function 00FD79F8: __mtinitlocknum.LIBCMT ref: 00FD7A0E
                                                                                                                                                                • Part of subcall function 00FD79F8: __amsg_exit.LIBCMT ref: 00FD7A1A
                                                                                                                                                                • Part of subcall function 00FD79F8: EnterCriticalSection.KERNEL32(?,?,?,00FDBC5D,00000004,00FDF598,0000000C,00FD8154,00FD379E,?,00000000,00000000,00000000,?,00FD567D,00000001), ref: 00FD7A22
                                                                                                                                                              • ___sbh_find_block.LIBCMT ref: 00FD77CD
                                                                                                                                                              • ___sbh_free_block.LIBCMT ref: 00FD77DC
                                                                                                                                                              • HeapFree.KERNEL32(00000000,00FD379E,00FDF498,0000000C,00FD79D9,00000000,00FDF4D8,0000000C,00FD7A13,00FD379E,?,?,00FDBC5D,00000004,00FDF598,0000000C), ref: 00FD780C
                                                                                                                                                              • GetLastError.KERNEL32(?,00FDBC5D,00000004,00FDF598,0000000C,00FD8154,00FD379E,?,00000000,00000000,00000000,?,00FD567D,00000001,00000214), ref: 00FD781D
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.247692684.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.247687326.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247711949.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247812016.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247819246.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247825913.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_fd0000_ChromeFIX_errorMEM.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 2714421763-0
                                                                                                                                                              • Opcode ID: f111ba3040b91a9a663e8460c5efd065dc6a7d95636e1b2ab7a224794722724f
                                                                                                                                                              • Instruction ID: 6b6719f928c6c74aaf2c282a591dbd702936fb7cc94b13801c1109bcd0a3ccc6
                                                                                                                                                              • Opcode Fuzzy Hash: f111ba3040b91a9a663e8460c5efd065dc6a7d95636e1b2ab7a224794722724f
                                                                                                                                                              • Instruction Fuzzy Hash: 74018432D09305AADB317BB0AC0AB5D36679F01771F38011BF404AE291EA7C8641F7A5
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 00FD43D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              C-Code - Quality: 65%
                                                                                                                                                              			E00FD43D0() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0xfdd8f0;
					_v28 =  *0xfdd8e8;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}







                                                                                                                                                              0x00fd43d5
                                                                                                                                                              0x00fd43dd
                                                                                                                                                              0x00fd43f4
                                                                                                                                                              0x00fd43a0
                                                                                                                                                              0x00fd43a9
                                                                                                                                                              0x00fd43b5
                                                                                                                                                              0x00fd43b8
                                                                                                                                                              0x00fd43bb
                                                                                                                                                              0x00fd43bd
                                                                                                                                                              0x00fd43c0
                                                                                                                                                              0x00fd43c5
                                                                                                                                                              0x00fd43cf
                                                                                                                                                              0x00fd43c7
                                                                                                                                                              0x00fd43cb
                                                                                                                                                              0x00fd43cb
                                                                                                                                                              0x00fd43df
                                                                                                                                                              0x00fd43e5
                                                                                                                                                              0x00fd43ed
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00fd43ef
                                                                                                                                                              0x00fd43ef
                                                                                                                                                              0x00fd43f3
                                                                                                                                                              0x00fd43f3
                                                                                                                                                              0x00fd43ed

                                                                                                                                                              APIs
                                                                                                                                                              • GetModuleHandleA.KERNEL32(KERNEL32,00FD320A), ref: 00FD43D5
                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00FD43E5
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.247692684.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.247687326.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247711949.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247812016.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247819246.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247825913.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_fd0000_ChromeFIX_errorMEM.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                                                                              • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                                                                                              • API String ID: 1646373207-3105848591
                                                                                                                                                              • Opcode ID: a46b489fd1f907ed36fa15fa09f8b8db1de4a672d11933826787cd0bf3af3ce6
                                                                                                                                                              • Instruction ID: c3913d006f2473ca8aad8d28190316adf5df3ff5237b00e71bdf6698d9637bdc
                                                                                                                                                              • Opcode Fuzzy Hash: a46b489fd1f907ed36fa15fa09f8b8db1de4a672d11933826787cd0bf3af3ce6
                                                                                                                                                              • Instruction Fuzzy Hash: 34F01D31A41A0E93DB106BB5AC0E76E7B7AFB90706F8505929191A01D8DE319071B652
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 00FD429B Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              C-Code - Quality: 100%
                                                                                                                                                              			E00FD429B(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00FD3B8C(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00FD3C7C(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00FD41A1(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00FD40E6(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}






                                                                                                                                                              0x00fd42a0
                                                                                                                                                              0x00fd42a6
                                                                                                                                                              0x00fd4319
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00fd42ad
                                                                                                                                                              0x00fd42ad
                                                                                                                                                              0x00fd42b0
                                                                                                                                                              0x00fd42cb
                                                                                                                                                              0x00fd42ce
                                                                                                                                                              0x00fd42ee
                                                                                                                                                              0x00fd4300
                                                                                                                                                              0x00fd42d0
                                                                                                                                                              0x00fd42d0
                                                                                                                                                              0x00fd42d3
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00fd42d5
                                                                                                                                                              0x00fd42e7
                                                                                                                                                              0x00fd42e7
                                                                                                                                                              0x00fd42d3
                                                                                                                                                              0x00fd431e
                                                                                                                                                              0x00fd4322
                                                                                                                                                              0x00fd42b2
                                                                                                                                                              0x00fd42ca
                                                                                                                                                              0x00fd42ca
                                                                                                                                                              0x00fd42b0

                                                                                                                                                              APIs
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.247692684.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.247687326.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247711949.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247812016.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247819246.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247825913.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_fd0000_ChromeFIX_errorMEM.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 3016257755-0
                                                                                                                                                              • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                                                              • Instruction ID: 0c351a9cfb11f4088edcbbec363f95b51ade254506c0759b394802b0137898db
                                                                                                                                                              • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                                                              • Instruction Fuzzy Hash: D7114B7640014EBBCF125E88DC028EE3F63BB18365B588916FE1859231C337E9B1BB81
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 00FD69DF Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              C-Code - Quality: 90%
                                                                                                                                                              			E00FD69DF(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t13;
				void* _t25;
				intOrPtr _t27;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0xfdf478);
				E00FD59D4(__ebx, __edi, __esi);
				_t29 = E00FD56CB(__ebx, _t31);
				_t13 =  *0x100cab4; // 0xfffffffe
				if(( *(_t29 + 0x70) & _t13) == 0) {
					L6:
					E00FD79F8(_t22, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t8 = _t29 + 0x6c; // 0x6c
					_t27 =  *0x100cb98; // 0x100cac0
					 *((intOrPtr*)(_t30 - 0x1c)) = E00FD69A1(_t8, _t27);
					 *(_t30 - 4) = 0xfffffffe;
					E00FD6A49();
				} else {
					_t33 =  *((intOrPtr*)(_t29 + 0x6c));
					if( *((intOrPtr*)(_t29 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00FD56CB(_t22, _t33) + 0x6c));
					}
				}
				if(_t29 == 0) {
					E00FD46AD(_t25, 0x20);
				}
				return E00FD5A19(_t29);
			}









                                                                                                                                                              0x00fd69df
                                                                                                                                                              0x00fd69df
                                                                                                                                                              0x00fd69df
                                                                                                                                                              0x00fd69df
                                                                                                                                                              0x00fd69df
                                                                                                                                                              0x00fd69e1
                                                                                                                                                              0x00fd69e6
                                                                                                                                                              0x00fd69f0
                                                                                                                                                              0x00fd69f2
                                                                                                                                                              0x00fd69fa
                                                                                                                                                              0x00fd6a1e
                                                                                                                                                              0x00fd6a20
                                                                                                                                                              0x00fd6a26
                                                                                                                                                              0x00fd6a2a
                                                                                                                                                              0x00fd6a2d
                                                                                                                                                              0x00fd6a38
                                                                                                                                                              0x00fd6a3b
                                                                                                                                                              0x00fd6a42
                                                                                                                                                              0x00fd69fc
                                                                                                                                                              0x00fd69fc
                                                                                                                                                              0x00fd6a00
                                                                                                                                                              0x00000000
                                                                                                                                                              0x00fd6a02
                                                                                                                                                              0x00fd6a07
                                                                                                                                                              0x00fd6a07
                                                                                                                                                              0x00fd6a00
                                                                                                                                                              0x00fd6a0c
                                                                                                                                                              0x00fd6a10
                                                                                                                                                              0x00fd6a15
                                                                                                                                                              0x00fd6a1d

                                                                                                                                                              APIs
                                                                                                                                                              • __getptd.LIBCMT ref: 00FD69EB
                                                                                                                                                                • Part of subcall function 00FD56CB: __getptd_noexit.LIBCMT ref: 00FD56CE
                                                                                                                                                                • Part of subcall function 00FD56CB: __amsg_exit.LIBCMT ref: 00FD56DB
                                                                                                                                                              • __getptd.LIBCMT ref: 00FD6A02
                                                                                                                                                              • __amsg_exit.LIBCMT ref: 00FD6A10
                                                                                                                                                              • __lock.LIBCMT ref: 00FD6A20
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.247692684.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                                                              • Associated: 00000000.00000002.247687326.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247711949.0000000000FDD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247812016.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247819246.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              • Associated: 00000000.00000002.247825913.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_fd0000_ChromeFIX_errorMEM.jbxd
                                                                                                                                                              Yara matches
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 3521780317-0
                                                                                                                                                              • Opcode ID: b31d457a0a64054c239a33c0acffa3f7f2f831601bd93be6c671cd5869e4271d
                                                                                                                                                              • Instruction ID: de3da618209cfc0746a343617b96f37440c3345d9964c657c119a43aceba127d
                                                                                                                                                              • Opcode Fuzzy Hash: b31d457a0a64054c239a33c0acffa3f7f2f831601bd93be6c671cd5869e4271d
                                                                                                                                                              • Instruction Fuzzy Hash: 15F06232940B008BD720FBA48902B5973926B00724F58865BA495F73D2CB3C9901FB52
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Executed Functions

                                                                                                                                                              Function 0941F7C8 Relevance: 1.9, Strings: 1, Instructions: 626COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: nV
                                                                                                                                                              • API String ID: 0-4230718762
                                                                                                                                                              • Opcode ID: 5fbe545e64ad12d758a63795c25e8f21052620aba5d0b71db059d4705a242758
                                                                                                                                                              • Instruction ID: 7374792ae33e7b250572622c8b04a0064277dc9196f96968a2ffc4c522ae705d
                                                                                                                                                              • Opcode Fuzzy Hash: 5fbe545e64ad12d758a63795c25e8f21052620aba5d0b71db059d4705a242758
                                                                                                                                                              • Instruction Fuzzy Hash: F4228E347002459FCB15DF78C4A4A6E7BE6EF89350F1584AAE906CB3A2DB35DC06CB51
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0A58F550 Relevance: .3, Instructions: 322COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.322595530.000000000A580000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A580000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_a580000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 626a11ace52bbb935db702cfd98ff7005bae6c1af24bfba34619a9b614acefb4
                                                                                                                                                              • Instruction ID: a1b22e4dcc1079c6a2afeb7efa830a35f2a87be412e9074ef7cbb928813d1575
                                                                                                                                                              • Opcode Fuzzy Hash: 626a11ace52bbb935db702cfd98ff7005bae6c1af24bfba34619a9b614acefb4
                                                                                                                                                              • Instruction Fuzzy Hash: 29F18EB4E01228CFDB64DFA5C994B9DBBB2BF49300F1085AAD819BB350DB355A85CF50
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09418C18 Relevance: 4.5, Strings: 2, Instructions: 1973COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: Q$Q
                                                                                                                                                              • API String ID: 0-3863588447
                                                                                                                                                              • Opcode ID: d250ef768e85da019530a2fe52967e2aa1f8d0995c926b999cb3c408f6b2182d
                                                                                                                                                              • Instruction ID: 2a53417ec50091bdd3150f689d0394087e5e4848ceae8f3d2f1dcba193aa7157
                                                                                                                                                              • Opcode Fuzzy Hash: d250ef768e85da019530a2fe52967e2aa1f8d0995c926b999cb3c408f6b2182d
                                                                                                                                                              • Instruction Fuzzy Hash: ED13DC78A0160CDFCB269B70E951D9DB733FF99307B1084AADC1127BA4CA3B9952DB11
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09418C08 Relevance: 3.2, Strings: 1, Instructions: 1973COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: Q
                                                                                                                                                              • API String ID: 0-4277333576
                                                                                                                                                              • Opcode ID: 628c375e12737bbdf45fd108d4c7c6804442128a12bf2376bd9a4784b60be8cf
                                                                                                                                                              • Instruction ID: e26392e21e797571009b1761de77f2b5a7a524c8886a66e3047d6c3b03b2d0c8
                                                                                                                                                              • Opcode Fuzzy Hash: 628c375e12737bbdf45fd108d4c7c6804442128a12bf2376bd9a4784b60be8cf
                                                                                                                                                              • Instruction Fuzzy Hash: 4B13EC7890160CDFCB269B70E951D9DB733FF99307B1084AADC112BBA4CA3B9952DB11
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09412B60 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: 8c0j$8vN
                                                                                                                                                              • API String ID: 0-1779224341
                                                                                                                                                              • Opcode ID: 09c2731c45d6e7cb144c5c7e7663ed771be3ec83933868b35ce26ceeab0975f7
                                                                                                                                                              • Instruction ID: d7b1fa9606bcfc44a2bb6f907147454465d552ffa899726f0f1821cb0ef10fcc
                                                                                                                                                              • Opcode Fuzzy Hash: 09c2731c45d6e7cb144c5c7e7663ed771be3ec83933868b35ce26ceeab0975f7
                                                                                                                                                              • Instruction Fuzzy Hash: 39611A30911248DFCB04EFB8E8448ADBBB2FF8A312F60866DE416A7295DF319845CB51
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941C078 Relevance: 2.6, Strings: 2, Instructions: 60COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: @Q$Q
                                                                                                                                                              • API String ID: 0-1333698483
                                                                                                                                                              • Opcode ID: 7f6ae126ed55ce8dfa3721de8018eb90b3a71ced6607bc85be1ca28c8e1caa96
                                                                                                                                                              • Instruction ID: cc994b5684731fa78b6e52f0d17b8fd911e3a8181e1603ed98c90d7044c207c0
                                                                                                                                                              • Opcode Fuzzy Hash: 7f6ae126ed55ce8dfa3721de8018eb90b3a71ced6607bc85be1ca28c8e1caa96
                                                                                                                                                              • Instruction Fuzzy Hash: 83117F3470070ADBCB10EF69EC80A6FB7B6FB84350B108E2AD42597652DB71BD0A87D0
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09413208 Relevance: 2.5, Strings: 2, Instructions: 28COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: 8vN$DxN
                                                                                                                                                              • API String ID: 0-1192695030
                                                                                                                                                              • Opcode ID: baa5221d61b270ee8c8691f172a4f225a035ccdc3399f423868b5633367a5edb
                                                                                                                                                              • Instruction ID: 3524100a371104aafb958cd15a8068ab1fc9d93488dc60d646828c4213c19a25
                                                                                                                                                              • Opcode Fuzzy Hash: baa5221d61b270ee8c8691f172a4f225a035ccdc3399f423868b5633367a5edb
                                                                                                                                                              • Instruction Fuzzy Hash: B6E09B313003486BC7142AAEE84855F7ADEEBC5375B40482DE51DC7342DB711805C7A5
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941EAD8 Relevance: 1.6, Strings: 1, Instructions: 353COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: 8q
                                                                                                                                                              • API String ID: 0-596622023
                                                                                                                                                              • Opcode ID: fe1a9b0da741100fe3949a84565d5273a9cd40a111e8e549e698ed49800f9f77
                                                                                                                                                              • Instruction ID: f25c222fb881fb8a6cf4cecf34d7d2fa446fd4cc1754ffdae5ab095f4f3d6b6e
                                                                                                                                                              • Opcode Fuzzy Hash: fe1a9b0da741100fe3949a84565d5273a9cd40a111e8e549e698ed49800f9f77
                                                                                                                                                              • Instruction Fuzzy Hash: 27E15F38B00249DFCB14DF65D998A5EBBB2FF88310F148529E9169B3A1DB31EC45CB51
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 094108F8 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: k?i^
                                                                                                                                                              • API String ID: 0-4223288522
                                                                                                                                                              • Opcode ID: dcbd421eded913163ecc83497e91e3eeaff71babf4c99336fd563c3ae293e975
                                                                                                                                                              • Instruction ID: ac060f4cf32f08a0e537b0d197b8a84b4c0d3879a6499797d3e36333ffd488a1
                                                                                                                                                              • Opcode Fuzzy Hash: dcbd421eded913163ecc83497e91e3eeaff71babf4c99336fd563c3ae293e975
                                                                                                                                                              • Instruction Fuzzy Hash: B1D1F0B4E01228CFDB64DF65C994BEDBBB2BB49300F1085AAD409B7290DB745AC5CF50
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941EACA Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: 8q
                                                                                                                                                              • API String ID: 0-596622023
                                                                                                                                                              • Opcode ID: 830c71e17c45e0c42b9b81f81b39fc291cdb3c811d7b9f154ef801c55ed77e86
                                                                                                                                                              • Instruction ID: 8c20671e488194c2a688fd389004f9e55bb7e66bb8f6aecc5acc87cd8edaaa96
                                                                                                                                                              • Opcode Fuzzy Hash: 830c71e17c45e0c42b9b81f81b39fc291cdb3c811d7b9f154ef801c55ed77e86
                                                                                                                                                              • Instruction Fuzzy Hash: C3810838A00209DFCB14DF65D5989AEBBB2FF88350F158559E816AB361DB30EC85CF91
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941D968 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: hoQ
                                                                                                                                                              • API String ID: 0-1176590428
                                                                                                                                                              • Opcode ID: 71baf69608fa80883b03c20bcda07bcd820363e7826edbe5a6b01f1051252692
                                                                                                                                                              • Instruction ID: 3b6812f8dcbc54beecf064edf66c9e07f4bd793950cbc2e5ee1b046a29a7af2c
                                                                                                                                                              • Opcode Fuzzy Hash: 71baf69608fa80883b03c20bcda07bcd820363e7826edbe5a6b01f1051252692
                                                                                                                                                              • Instruction Fuzzy Hash: 2D511D74E11219EFDF14DFA5E8949AEBBB6FF88340F108119F802A7390DB359945DB50
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09412541 Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: 4!N
                                                                                                                                                              • API String ID: 0-1889814034
                                                                                                                                                              • Opcode ID: a0cce15ff9fdc6856ddebc31d72833ab6fe43bc4be16a3a8c4059f8db734c20d
                                                                                                                                                              • Instruction ID: d156785d68d2d3b19cb1fc55d73f5b7cff92161006b8ca192a35a923384847d7
                                                                                                                                                              • Opcode Fuzzy Hash: a0cce15ff9fdc6856ddebc31d72833ab6fe43bc4be16a3a8c4059f8db734c20d
                                                                                                                                                              • Instruction Fuzzy Hash: B351D474E00208DFCB19DFB9D8949ADBBB2FF88301F20852AE815AB355DB315846CF50
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0A58E1C2 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.322595530.000000000A580000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A580000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_a580000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: KDBM
                                                                                                                                                              • API String ID: 0-3504354710
                                                                                                                                                              • Opcode ID: da775fd42ccbd6954e333ba23d08490c0320d189e25dd2a9d66923afb8f01ae8
                                                                                                                                                              • Instruction ID: b0d9e52b2dd8bbf43838a14b0e2371b1a6df9455ccd96ac844cf6d1a04ffaa8e
                                                                                                                                                              • Opcode Fuzzy Hash: da775fd42ccbd6954e333ba23d08490c0320d189e25dd2a9d66923afb8f01ae8
                                                                                                                                                              • Instruction Fuzzy Hash: F351A174E002199FDF04DFE9D954AEDBBB2FF88300F24812AE815AB394DB755945DB80
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0A58E1D0 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.322595530.000000000A580000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A580000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_a580000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: KDBM
                                                                                                                                                              • API String ID: 0-3504354710
                                                                                                                                                              • Opcode ID: 1469a5dd058ef64e386d2cb9f22f5d3819e0264c5bef31ee17a79ff87e66a10a
                                                                                                                                                              • Instruction ID: 849e212823ba26c3be94f0db6ad786f602c70cb21a3cbba4e00f932a3ba7e18b
                                                                                                                                                              • Opcode Fuzzy Hash: 1469a5dd058ef64e386d2cb9f22f5d3819e0264c5bef31ee17a79ff87e66a10a
                                                                                                                                                              • Instruction Fuzzy Hash: 6B51A274E002199FDF04DFA9D944AEEBBB2FF88300F208029E815AB354DB715945CF90
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09415638 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: _P
                                                                                                                                                              • API String ID: 0-1539724655
                                                                                                                                                              • Opcode ID: e988e768bd900aa7f638cc563bff91cdbfc7e08e89b3b4da3b88a41937d2e5d7
                                                                                                                                                              • Instruction ID: bc12c6e4d4613490c9a1e2b78ca6163138d94ae8efe3e20be57fd7633ceeaf44
                                                                                                                                                              • Opcode Fuzzy Hash: e988e768bd900aa7f638cc563bff91cdbfc7e08e89b3b4da3b88a41937d2e5d7
                                                                                                                                                              • Instruction Fuzzy Hash: 96412535900249EFCF12DFA5E8498ADBFB2FB48300F018459E921AB362D7366916DF52
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941C068 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: @Q
                                                                                                                                                              • API String ID: 0-1878878239
                                                                                                                                                              • Opcode ID: 8643c4be2682d230f530f9df5d440fc6271259f09f6474fd68ed69d095fb3d2f
                                                                                                                                                              • Instruction ID: 65fe86c943eba80aa2efa0b91cf30ee3d05abc267ce590e3ede15e17203fb479
                                                                                                                                                              • Opcode Fuzzy Hash: 8643c4be2682d230f530f9df5d440fc6271259f09f6474fd68ed69d095fb3d2f
                                                                                                                                                              • Instruction Fuzzy Hash: 4D018830600709EFC754EFB9EC4559FBBB6FF81354B00492AD055D7262DB71A90A87E0
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 094144C8 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: 8c0j
                                                                                                                                                              • API String ID: 0-745260190
                                                                                                                                                              • Opcode ID: fc483cfdbf18c78ba981b52fbcb8ff34083eafc75ac7934589fe4b1eedd48209
                                                                                                                                                              • Instruction ID: befe0e2551cfc078100eaaf28ca1012e20bd77ec1ca2334e16339680f4de0058
                                                                                                                                                              • Opcode Fuzzy Hash: fc483cfdbf18c78ba981b52fbcb8ff34083eafc75ac7934589fe4b1eedd48209
                                                                                                                                                              • Instruction Fuzzy Hash: EB01B5342007088BD325AF78E40862B77E7EFC4315B108E2DD0564B782CFB5AC098BD2
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941B270 Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: Q
                                                                                                                                                              • API String ID: 0-4193994388
                                                                                                                                                              • Opcode ID: 842f37947d6f1110d96ffbdc5b97bd1c65500a647d493a389d3108e7c3f1f7cf
                                                                                                                                                              • Instruction ID: f3623e1e2357130cf15537e725ad751596038e268fa41249a559791f553cf8d3
                                                                                                                                                              • Opcode Fuzzy Hash: 842f37947d6f1110d96ffbdc5b97bd1c65500a647d493a389d3108e7c3f1f7cf
                                                                                                                                                              • Instruction Fuzzy Hash: 6BD012326043286B9744EBAE54115DEBFDEDA84370F01406ED50DD7280ED72298043D9
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09416D18 Relevance: 1.3, Strings: 1, Instructions: 15COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: iP
                                                                                                                                                              • API String ID: 0-2065747021
                                                                                                                                                              • Opcode ID: 1a1c570fac394222de4350ba934c1e78951be8b668c1982a80cd909b6eda73b3
                                                                                                                                                              • Instruction ID: 461ae5fd9b46df3d9bf8a25ef35d26bf28165ead81523099e158ba7ebb81f695
                                                                                                                                                              • Opcode Fuzzy Hash: 1a1c570fac394222de4350ba934c1e78951be8b668c1982a80cd909b6eda73b3
                                                                                                                                                              • Instruction Fuzzy Hash: A1D017362546449FCB42DB64C8408983F72BF9A31130481EAE545CB632C2328820DB40
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941DE60 Relevance: .4, Instructions: 396COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 51154b02b735ce73b80a1ae1f63e712096e5a0cc966884daddd88663c9ac679e
                                                                                                                                                              • Instruction ID: 1e81fe3cb72444fef6ef7c7f2c30e80152ac7529e1e68128d6ffee6ce54dae44
                                                                                                                                                              • Opcode Fuzzy Hash: 51154b02b735ce73b80a1ae1f63e712096e5a0cc966884daddd88663c9ac679e
                                                                                                                                                              • Instruction Fuzzy Hash: 86F12D78B002498FDB04DFA9D494A6EBBF2FF88314F148069E506EB3A5DB359C42CB51
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941DF88 Relevance: .3, Instructions: 311COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 00ca7f0dd0532492aad8fbe3ef5c7c6c28638e5f4dbef63635a661db04728177
                                                                                                                                                              • Instruction ID: f430f4448f7edaa78edacc23afc614f4c8866ee00f8a0fa0cff989a4dc2eebcc
                                                                                                                                                              • Opcode Fuzzy Hash: 00ca7f0dd0532492aad8fbe3ef5c7c6c28638e5f4dbef63635a661db04728177
                                                                                                                                                              • Instruction Fuzzy Hash: A4D1F178F001498FDB44DFA9D495AAEBBF6BF88304F104069E906EB3A5DB359C42CB51
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09416E30 Relevance: .2, Instructions: 182COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: f530c7069ffd9c898be1fcf914ded7432a0e98b69842a86d6287d8f7e9cac89e
                                                                                                                                                              • Instruction ID: 54a395fca1e6711151bcff4622f0bb966506a92803ddc29c276d01b0bea0bac0
                                                                                                                                                              • Opcode Fuzzy Hash: f530c7069ffd9c898be1fcf914ded7432a0e98b69842a86d6287d8f7e9cac89e
                                                                                                                                                              • Instruction Fuzzy Hash: 96618F35B003449FCB059FB8D41456EBBB3EFC5351F25846AE849EB382DB35AD068B92
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941EE99 Relevance: .1, Instructions: 140COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 17e94cce6a0f43c7675df6b6495b745e41f479fef7587046d1b3bee7250c154e
                                                                                                                                                              • Instruction ID: dc16a5bcbcf8576c863d5265a02ebdba8efec44514daf5016fcf51882dbb0e7d
                                                                                                                                                              • Opcode Fuzzy Hash: 17e94cce6a0f43c7675df6b6495b745e41f479fef7587046d1b3bee7250c154e
                                                                                                                                                              • Instruction Fuzzy Hash: E351E838A00209DFDB14DFA4D998AAEBBB2FF48350F158555E915AB3A0DB31EC85CF50
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941F7BA Relevance: .1, Instructions: 130COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 49f2b5811fbf1b53013fa1e2fe559cd2d7cdb290a1c00ade7d9e8deef23415b6
                                                                                                                                                              • Instruction ID: e9ff408109cfba3401c760ead6db1e7634e8235b0a9c9d5ef1312aba4c0ec293
                                                                                                                                                              • Opcode Fuzzy Hash: 49f2b5811fbf1b53013fa1e2fe559cd2d7cdb290a1c00ade7d9e8deef23415b6
                                                                                                                                                              • Instruction Fuzzy Hash: 9741BC34A04245AFCB15DF75C855A6EBFB6EF86300F1480ABE805CB3A2DB31D906CB61
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941B090 Relevance: .1, Instructions: 109COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 231ef4c7017ab54356ab3fe9b1e3a444dfa0d994c9e4f00a4fff122177406175
                                                                                                                                                              • Instruction ID: 6b695d3ee62dc89e3423ec9d0b2f5a52a258310c74e03115effbb1562bfb87d7
                                                                                                                                                              • Opcode Fuzzy Hash: 231ef4c7017ab54356ab3fe9b1e3a444dfa0d994c9e4f00a4fff122177406175
                                                                                                                                                              • Instruction Fuzzy Hash: DA41B130B002489FDB15EFB9D8197AF7BB2EF84300F10846AE511EB395CF7559068BA1
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09418360 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 7a49765292d22dd776bd20c8e4d625527458048c04cc4b9dcc4b85efc9d932cd
                                                                                                                                                              • Instruction ID: adde48cc04e3b746bc8a3b807ed22fba2bd8d175f09bbfe4884e5145dbb5461e
                                                                                                                                                              • Opcode Fuzzy Hash: 7a49765292d22dd776bd20c8e4d625527458048c04cc4b9dcc4b85efc9d932cd
                                                                                                                                                              • Instruction Fuzzy Hash: BE311734B002488FD718DF68D4A8AAE7BF2EF88751F144469E9069B3A1DF769C41CB51
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941B7F7 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 7d1dd84d218fd2559fb8069bf56b062b4f356973db0924b3ca5c6ad4649b57d0
                                                                                                                                                              • Instruction ID: 294b6975e8f8430d1a528d388c3f04090f46a6cf94fe285c218064a405f58549
                                                                                                                                                              • Opcode Fuzzy Hash: 7d1dd84d218fd2559fb8069bf56b062b4f356973db0924b3ca5c6ad4649b57d0
                                                                                                                                                              • Instruction Fuzzy Hash: 24318831E00B4ADBCB11AFB9C8112D9F772BF99320F25861AE55977240EB70B5D5CB90
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 094185C8 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 64d8f1d86c579cd89e707154775e937d3f16dc2d9784bc93eaff653489678c29
                                                                                                                                                              • Instruction ID: 0e9a8bd3b575e65f971a290c4586b09266045a283a359604bb8329a89954bdf2
                                                                                                                                                              • Opcode Fuzzy Hash: 64d8f1d86c579cd89e707154775e937d3f16dc2d9784bc93eaff653489678c29
                                                                                                                                                              • Instruction Fuzzy Hash: 7B2121347003848FC719AB78A81812E7BE7AFC5311718887ED80ACB792DF759C0683A2
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09418350 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 5911a77104f1014dd9e6a4f871e0c10cd6564c75f06e0f35a3f76df0267e39d4
                                                                                                                                                              • Instruction ID: 9e2f56c0a26f22cc402fc1cdf49b57ccd4c4b8dd3d06ca85db9ad90696ff2684
                                                                                                                                                              • Opcode Fuzzy Hash: 5911a77104f1014dd9e6a4f871e0c10cd6564c75f06e0f35a3f76df0267e39d4
                                                                                                                                                              • Instruction Fuzzy Hash: 7F311A347002489FD758DF68C498AAE7BF6EF89750F144469E5029B3A1DF329D41CF61
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941B808 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: e17526593c8138b1071a4761b13953ed2fb1b64d0374149a69f2da619586f2d3
                                                                                                                                                              • Instruction ID: af77e6af261a3ae4206147fe92aff1e53f24f2c468517ac3d32a1217155f03cd
                                                                                                                                                              • Opcode Fuzzy Hash: e17526593c8138b1071a4761b13953ed2fb1b64d0374149a69f2da619586f2d3
                                                                                                                                                              • Instruction Fuzzy Hash: 1B315631E10B4ADBCB10AFB9D811299F372BF99320F25871AE55977240EB70B5D4CB90
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09415648 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 49f9f3be60e4be9da6aeb5725a3e422e1795eeb7bb0351c98b20825b7049293e
                                                                                                                                                              • Instruction ID: 25744ddd86a9689e1c2dfe70521cd33ffea5250072a5abc24e803b71f060bf6b
                                                                                                                                                              • Opcode Fuzzy Hash: 49f9f3be60e4be9da6aeb5725a3e422e1795eeb7bb0351c98b20825b7049293e
                                                                                                                                                              • Instruction Fuzzy Hash: BA31D43590020DEFCF12DFA5E8498ADBBB2FB48301F118415E921AB362DB366956DF52
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09418AD8 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 1520ba6c774db40da329869c9a615133b1370e209315db27d66614ca47077f4a
                                                                                                                                                              • Instruction ID: cb91cf4e1321d0031916410eb0e73024b84cee8612650085e6e2c3959f6e2c22
                                                                                                                                                              • Opcode Fuzzy Hash: 1520ba6c774db40da329869c9a615133b1370e209315db27d66614ca47077f4a
                                                                                                                                                              • Instruction Fuzzy Hash: B3318431E1074ACFCB119FB9D4241AEB7B1FF85310B10862FD856A7341EB75A985CB91
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09418AE8 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: a967936d89b7ffec78c1e56136914a8a9920133899c8a4ec8d55088cf7659da7
                                                                                                                                                              • Instruction ID: cf4b5c6dfca1591080dda72dbd72aca268806277dcd93b206a0103ffe1ade36f
                                                                                                                                                              • Opcode Fuzzy Hash: a967936d89b7ffec78c1e56136914a8a9920133899c8a4ec8d55088cf7659da7
                                                                                                                                                              • Instruction Fuzzy Hash: DE318431F0064ACBCB11AFB9D4241AEB7B5FF84310B10862AD969A7341EF75A985CBD1
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0515D808 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.304745671.000000000515D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0515D000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_515d000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: c395c6ad0d9ceba5124036aa9aea26457500f8ed1dff3acbfb462c1d39b71a99
                                                                                                                                                              • Instruction ID: 0d87276d257b64253bcab5f2264d75e360a7b888134c99d69001d3dfc65bf8da
                                                                                                                                                              • Opcode Fuzzy Hash: c395c6ad0d9ceba5124036aa9aea26457500f8ed1dff3acbfb462c1d39b71a99
                                                                                                                                                              • Instruction Fuzzy Hash: 63210676504240DFDF15CF18E9C0F26BB66FB88324F2486A9ED490F215C33AD555CBA2
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0515D4D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.304745671.000000000515D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0515D000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_515d000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: ce350cb9b4759940ed2947d7963593d930542069de178a8269b0477c4402b09e
                                                                                                                                                              • Instruction ID: 10f059549382c626f8a4934519083db556c41c0a6cecd4be3608d1c251922122
                                                                                                                                                              • Opcode Fuzzy Hash: ce350cb9b4759940ed2947d7963593d930542069de178a8269b0477c4402b09e
                                                                                                                                                              • Instruction Fuzzy Hash: 3D210376514244DFDB15CF18E9C0F26BF76FB88328F248569EC060B216C33AD956CBA2
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941BBB0 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 491d2aa1e15a373f666bb2199e9b7e6dfd747d661f515d5a1e906472ee661690
                                                                                                                                                              • Instruction ID: dae0af1b0afd44fce0e20173321cb589b1846bb9cd877f4e32ebb81ecae8302c
                                                                                                                                                              • Opcode Fuzzy Hash: 491d2aa1e15a373f666bb2199e9b7e6dfd747d661f515d5a1e906472ee661690
                                                                                                                                                              • Instruction Fuzzy Hash: F821623034C6D0CBE71A9B35A07A37A3AA5DB45741F04406EF547CBB8AEF3588458763
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941403F Relevance: .1, Instructions: 74COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 2d26eeef9e736886820c2b00ed6d7645829db13e4324c022c6dc1df80012a15c
                                                                                                                                                              • Instruction ID: 43247dac4cb4bcd2d2ad004a98c9024cf84ea130ce475b82f9c435e7eb22535f
                                                                                                                                                              • Opcode Fuzzy Hash: 2d26eeef9e736886820c2b00ed6d7645829db13e4324c022c6dc1df80012a15c
                                                                                                                                                              • Instruction Fuzzy Hash: 7D21C8302053858FCB15BB38D9A44AA7FA7EEE13553044C6EC546CF752DE3168074796
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941BBA0 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 5681c28f44caa3a229271d1173b524823c9b6bdd714d463ea13f1a5059a51927
                                                                                                                                                              • Instruction ID: 68a85bc4029c2b1c336dd3ff09b13e65aaa428bf39e3ddf06bbf8a7beda2e81a
                                                                                                                                                              • Opcode Fuzzy Hash: 5681c28f44caa3a229271d1173b524823c9b6bdd714d463ea13f1a5059a51927
                                                                                                                                                              • Instruction Fuzzy Hash: 0D21903034C6D1CFD72BAB31A56A27A3AA5EB45741704446EF047CAA5AEB348805CB23
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09414C10 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 41c52f31189c5e44cdac471b67975468e173e8cbb6bc8307833560abf79bea85
                                                                                                                                                              • Instruction ID: 6311707a88893dff1b8af3009077a3daef69b1ff46c37496a5f194cdee40f8e0
                                                                                                                                                              • Opcode Fuzzy Hash: 41c52f31189c5e44cdac471b67975468e173e8cbb6bc8307833560abf79bea85
                                                                                                                                                              • Instruction Fuzzy Hash: 6431283590420DEFCB159FE4EC4A9A97FB2FB48301F128418E6115A3A2CB365E56EF41
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0515D803 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.304745671.000000000515D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0515D000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_515d000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 57579a75ee6befb3812fde9df4a5292aa026fa4f580f003769344605979a8ca1
                                                                                                                                                              • Instruction ID: d4a542fc2ce6503874d2daa9c48fedda50af20f0da9f23b251f5edd9f1308ce7
                                                                                                                                                              • Opcode Fuzzy Hash: 57579a75ee6befb3812fde9df4a5292aa026fa4f580f003769344605979a8ca1
                                                                                                                                                              • Instruction Fuzzy Hash: 3C21AC76404280DFDB06CF04D9C0B16BF72FB88324F2886A9DC490B216C33AD566CF92
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0515D4D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.304745671.000000000515D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0515D000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_515d000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                                                                                                                                              • Instruction ID: d142ae6ae18dc4d8de91343e52526825e3fbe7fdcf31c2da3bb2b9981e13d714
                                                                                                                                                              • Opcode Fuzzy Hash: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                                                                                                                                              • Instruction Fuzzy Hash: 6F11D376504280CFDB16CF14D9C4B16BF72FB84324F2886A9DC450B656C33AD55ACBA2
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09415860 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 6e93ef9888806291677c7dcf9dddba29e8388f8e60c0bdce69561a446c94b3e6
                                                                                                                                                              • Instruction ID: 9cf9c81d5ef5e57a2f71f49b9b63eb0ed9e2be7a1df062ef1536cb6b1be5c030
                                                                                                                                                              • Opcode Fuzzy Hash: 6e93ef9888806291677c7dcf9dddba29e8388f8e60c0bdce69561a446c94b3e6
                                                                                                                                                              • Instruction Fuzzy Hash: 8111EF352007499BC720DE6DDC8089FB7A7AF84614B10CE2AE4554B666DB71BD09C790
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941D450 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 9ba75e0fafbb94a92ac07431a2412467c4f1c2c355cdbd2258ea6b16ebf6735d
                                                                                                                                                              • Instruction ID: ef211cd5d3eeaec9ef18e5451a3491a07a60839c88c944649172683dd29c0f6c
                                                                                                                                                              • Opcode Fuzzy Hash: 9ba75e0fafbb94a92ac07431a2412467c4f1c2c355cdbd2258ea6b16ebf6735d
                                                                                                                                                              • Instruction Fuzzy Hash: 3A01AD347007449FCB26AB7AD85862BB7A7EBC4255F00482EE50687781CFB1EC098755
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0A58F398 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.322595530.000000000A580000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A580000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_a580000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 4226abe1d2cc9380dec84ab66c37a8eb93f7648780c51fe458436381d4a58f99
                                                                                                                                                              • Instruction ID: 796acddae29e2f7bebec3bf89c0526b246083c3563983cd339ba7083e6d72a07
                                                                                                                                                              • Opcode Fuzzy Hash: 4226abe1d2cc9380dec84ab66c37a8eb93f7648780c51fe458436381d4a58f99
                                                                                                                                                              • Instruction Fuzzy Hash: 77115E74E042598FCF05DFA8D460AEEBFB2FF8A300F14416AC555AB391CA355905CB91
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941EF37 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: d28fcd7a1d7b65cce58388f51c4dde82480c310e68adeaa1f478903b2cf554b4
                                                                                                                                                              • Instruction ID: 5a35d0c4cc0683fb0011c873a2c7a7b82f30e96c6398932314d02cc589c64d2f
                                                                                                                                                              • Opcode Fuzzy Hash: d28fcd7a1d7b65cce58388f51c4dde82480c310e68adeaa1f478903b2cf554b4
                                                                                                                                                              • Instruction Fuzzy Hash: FD01D835304385AFC3259B2AD8846577FE6EFC5264708886AFA55CB352DB31AC09C7B1
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09414090 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 3ddc9650af4433726643c99ee000a19e8a5252b6af57ee8a67d69c01c9b7a9a5
                                                                                                                                                              • Instruction ID: 442b3a3e0318f219b34c681c486b0c097a1f79a789889b3b13695271a9b5932c
                                                                                                                                                              • Opcode Fuzzy Hash: 3ddc9650af4433726643c99ee000a19e8a5252b6af57ee8a67d69c01c9b7a9a5
                                                                                                                                                              • Instruction Fuzzy Hash: 9B01BC343013898F8E95BB38EA5842EB6A7EED12613448C2EC2168B701DF317C0A47C6
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0515DA39 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.304745671.000000000515D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0515D000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_515d000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: af6744ef815ab6f847924c95f1faf1584091a749aca240df4f59b3497e37ac81
                                                                                                                                                              • Instruction ID: 85dffb3a3de30ca8f8f280162691c6ed44cad86c99dadab5b83eadd724e3e88c
                                                                                                                                                              • Opcode Fuzzy Hash: af6744ef815ab6f847924c95f1faf1584091a749aca240df4f59b3497e37ac81
                                                                                                                                                              • Instruction Fuzzy Hash: EA01F77550C344DEEB208A2AEC80B67BF98EF45234F0CC55AED151A286C3799940C772
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 094186D4 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 6f4ac7ab4169a2098f54b7223c09e87e7f7932ffb6cfcb6fe283b561968ff7c8
                                                                                                                                                              • Instruction ID: cb646b650920b0b8a8887b03718e9e08b3ba256bb6420c13b4496d703a210378
                                                                                                                                                              • Opcode Fuzzy Hash: 6f4ac7ab4169a2098f54b7223c09e87e7f7932ffb6cfcb6fe283b561968ff7c8
                                                                                                                                                              • Instruction Fuzzy Hash: 1B012B356087D48FC3269B7DAC545567FE2AD43340388CDDFC0AACB563C7616409C3A1
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0A58F3A8 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.322595530.000000000A580000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A580000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_a580000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: fc29f521c8d2d4b8dd13d106fd5e2c58678c8bb4fee71e28af6820193dca595b
                                                                                                                                                              • Instruction ID: 5e304117003e579025d6140a75564212f931ddd398f91470dce4ca49eed3b94e
                                                                                                                                                              • Opcode Fuzzy Hash: fc29f521c8d2d4b8dd13d106fd5e2c58678c8bb4fee71e28af6820193dca595b
                                                                                                                                                              • Instruction Fuzzy Hash: 0D011375E002198FCF44EFA9D8506EEBBB6FF89300F20812AC525AB380DB3569058BD1
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09417890 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: ddfe923489ef6022395f549630826302f06ab4d3f0695351a8e7cc06e09c3184
                                                                                                                                                              • Instruction ID: fbf22085264daa35b35f2632ceaca66d415628bab40cf64ab69f23c6b157f973
                                                                                                                                                              • Opcode Fuzzy Hash: ddfe923489ef6022395f549630826302f06ab4d3f0695351a8e7cc06e09c3184
                                                                                                                                                              • Instruction Fuzzy Hash: 2F01D134B093848FC702A7B8982442A3FB6AFC624271844FBD589CF393D9259C02C792
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941CBC0 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 6ea1b11232bfd572b7cdc56ded1097572a848055a778005b4074a51e45901dfa
                                                                                                                                                              • Instruction ID: 0b57a815b0995729d69b5fa908563865b23f6740ca6f5e0f41415fd56bf83fea
                                                                                                                                                              • Opcode Fuzzy Hash: 6ea1b11232bfd572b7cdc56ded1097572a848055a778005b4074a51e45901dfa
                                                                                                                                                              • Instruction Fuzzy Hash: 6D019A382006498FC754CF29E984D9ABBF2BF84311715C4AAE546CB772DBB0E901CB90
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09416CD0 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 4aedf9952109a27eb88bcd0c4b459627dca68745a155c2c325d9dcb137ed2567
                                                                                                                                                              • Instruction ID: 82604d3639f83353608c84cb569dc0a1d7e1f991729f6bfd67a4d9df127a1839
                                                                                                                                                              • Opcode Fuzzy Hash: 4aedf9952109a27eb88bcd0c4b459627dca68745a155c2c325d9dcb137ed2567
                                                                                                                                                              • Instruction Fuzzy Hash: 54016D347082449FC705DBB4D8248693FB7AF8620171884EAE949CB262DA36D811CB52
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941EFD0 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 6032f2d87fbf0e1044b717899ab46290f327c08b13811a36f682a590140ee950
                                                                                                                                                              • Instruction ID: 6c25803266d12bc0244d7a4ef3eb5515f9cf9c13b4422e78164697ff0e29018d
                                                                                                                                                              • Opcode Fuzzy Hash: 6032f2d87fbf0e1044b717899ab46290f327c08b13811a36f682a590140ee950
                                                                                                                                                              • Instruction Fuzzy Hash: 12F0303634563967DA205A9979007FBB68CCB80AEAF050077FE0EC7780CB5AD84593E2
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 094114A8 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 2c87fce81fb68aa1c872355e6daacb12a15d5b543b4a47b6863f52cb3db0cfea
                                                                                                                                                              • Instruction ID: b6078b2261011496ad8e3cbfe77fbfe0761ae3c7158dd1860c0aebe54d3282df
                                                                                                                                                              • Opcode Fuzzy Hash: 2c87fce81fb68aa1c872355e6daacb12a15d5b543b4a47b6863f52cb3db0cfea
                                                                                                                                                              • Instruction Fuzzy Hash: A30113B480929ADFCB16CFA4D5456EEBFB1BB0A310F24429AD451A7291D7340A81CBA1
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941CBD0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: b6754518b12663c3dd0371edee418d75699ff9ef0f72c27c5995c06f43a1d12b
                                                                                                                                                              • Instruction ID: a2f687b8caea40038402334f0cf8f9a3eefb35745e134dca37c288226f29b713
                                                                                                                                                              • Opcode Fuzzy Hash: b6754518b12663c3dd0371edee418d75699ff9ef0f72c27c5995c06f43a1d12b
                                                                                                                                                              • Instruction Fuzzy Hash: B10146382006098FC754CF2AE984C9AB7E6FF84311711C46AE5068B721DBB1FD41CB90
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 094114B8 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: f53b2c062e4c050248c0839f2e6a2775fbc5724ec5dd1103f7c9f222ed56763b
                                                                                                                                                              • Instruction ID: 946d5e6ff008cc71ed86007705ceea4e1be4a400b236c6e86ab4bbe8a003c9d8
                                                                                                                                                              • Opcode Fuzzy Hash: f53b2c062e4c050248c0839f2e6a2775fbc5724ec5dd1103f7c9f222ed56763b
                                                                                                                                                              • Instruction Fuzzy Hash: 8F01C0B4D08219EFCB04DFA9D5456AEBFF5BB48301F2085AAD915A3390E7344A41CFA1
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941BF38 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: a36523e764cd93aec48f4520cb53a04bce7e7d91156cadefd99a4ed693de8891
                                                                                                                                                              • Instruction ID: bd530b646e748d01dd03a2d51bf06650175d590a44241c6378f817019bcbca11
                                                                                                                                                              • Opcode Fuzzy Hash: a36523e764cd93aec48f4520cb53a04bce7e7d91156cadefd99a4ed693de8891
                                                                                                                                                              • Instruction Fuzzy Hash: 24012874900218AFCB94DFA9D8048EFBFF4BF88321B00452AE44AE7261D7305A45CBA1
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0515DA38 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.304745671.000000000515D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0515D000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_515d000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 8aa3e4d2459372c39f925129230873c18af3fbf34ee64ea1fff2497ef6cdbaad
                                                                                                                                                              • Instruction ID: 4ce95ba8469e4df3c52582d1a29435fc72518f277e2b00233f17dcc1b457fb98
                                                                                                                                                              • Opcode Fuzzy Hash: 8aa3e4d2459372c39f925129230873c18af3fbf34ee64ea1fff2497ef6cdbaad
                                                                                                                                                              • Instruction Fuzzy Hash: 4FF0C275408244DEE7218A16DC84B67FF98EF81234F18C55AED185F286C3799844CBB1
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09417908 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: bc835a56a18451916ca0b31542e0d51f4a72c942f34ae94a8c6d0203e0a32cd1
                                                                                                                                                              • Instruction ID: 33daae1b1b6673111a8bca00e6d4103100717bdefda51b5df37f921183b4bded
                                                                                                                                                              • Opcode Fuzzy Hash: bc835a56a18451916ca0b31542e0d51f4a72c942f34ae94a8c6d0203e0a32cd1
                                                                                                                                                              • Instruction Fuzzy Hash: BBF05E61B0D3D44FC71756B95C384666FA599D718274E40EFE2C6CF7E3D948480AC392
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941BED7 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: c7969a08c4268d8e81bf0bf499488049c6aa5fe0d7d3c4b0eb5f7521db928ebd
                                                                                                                                                              • Instruction ID: b75b1bf83473a1f6677c8ccb9dc7b9afcb2a369b6194bc9a68c70a10139443f4
                                                                                                                                                              • Opcode Fuzzy Hash: c7969a08c4268d8e81bf0bf499488049c6aa5fe0d7d3c4b0eb5f7521db928ebd
                                                                                                                                                              • Instruction Fuzzy Hash: E4F02739304388DFC3116B39B80886ABF6AEBCA224700856BE419C7353DBB54C058771
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09413378 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: e85bbb9f5804aa5d3c8767fe8bb2c437b908a1fa7cd893b81fb688a838276ff4
                                                                                                                                                              • Instruction ID: 0bb390f038f33c0f5b7d9237c88b1abb1001435ae22405e1a6cfe272e11cfe39
                                                                                                                                                              • Opcode Fuzzy Hash: e85bbb9f5804aa5d3c8767fe8bb2c437b908a1fa7cd893b81fb688a838276ff4
                                                                                                                                                              • Instruction Fuzzy Hash: 80F04F34A0024DEFCB50EFB8E94959CBBB1FB44304B2048AAC815A7356EA315E05CB52
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941DB3D Relevance: .0, Instructions: 31COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 9372be0054bbca5f5544cf88f24a1b937f6190876b1ae5809a44e4886604f236
                                                                                                                                                              • Instruction ID: 33667c05217f16c9b0a3de93cebec9740dc7a5b91580904788a3929dbe4ceb18
                                                                                                                                                              • Opcode Fuzzy Hash: 9372be0054bbca5f5544cf88f24a1b937f6190876b1ae5809a44e4886604f236
                                                                                                                                                              • Instruction Fuzzy Hash: C601A475A45259ABDF00DF94DD94FAEBB72BF48340F104015E812BB2A0C6755941DB60
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941BF48 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 6567d4ab90d611bc405539a93aaadcc1b2fa9da7058b20a7ee14085a4f0b2e58
                                                                                                                                                              • Instruction ID: f808a27ce62479ba7976205e0c69fbfefc2a93186ef73ff3ee8fee66a6fa8b91
                                                                                                                                                              • Opcode Fuzzy Hash: 6567d4ab90d611bc405539a93aaadcc1b2fa9da7058b20a7ee14085a4f0b2e58
                                                                                                                                                              • Instruction Fuzzy Hash: AAF04934A002189FCB54DFAAD80459EBBF4FF88321F00452AD459E7250DB706A49CBD1
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 094185BA Relevance: .0, Instructions: 29COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: aef3a4ab49fbe0c0466b6d637b3207e023cfe610f871bf3a4fdb457dd6bfa214
                                                                                                                                                              • Instruction ID: 90bb8176ccc0a288be2725935b41ec7c80a80a75ef110505eb21caf6ddf4179a
                                                                                                                                                              • Opcode Fuzzy Hash: aef3a4ab49fbe0c0466b6d637b3207e023cfe610f871bf3a4fdb457dd6bfa214
                                                                                                                                                              • Instruction Fuzzy Hash: C2E022303013995BC72A5639680047A7BABAEC535070481BFD506CB751EB65880187A0
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941C148 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 94cd2d7cb993fc1dd11c8010f409ce904308cfdd50f5ee444a6793104d13d145
                                                                                                                                                              • Instruction ID: f2367d7c5c67bbee4108e40da730d66e424a29de3a260648e36db7a6b3f95f02
                                                                                                                                                              • Opcode Fuzzy Hash: 94cd2d7cb993fc1dd11c8010f409ce904308cfdd50f5ee444a6793104d13d145
                                                                                                                                                              • Instruction Fuzzy Hash: 8DF0E5373416659FC314CF2DD840C4ABBA9AF81720305815AE44887371CB20FD40C7D0
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 094141A0 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 2956477835a972206fb9c3f88ef69ee43266ff52dcc6f892cfb66c5422c3e46a
                                                                                                                                                              • Instruction ID: ccc406ca8beed86d1e7df1bffc41584b44ca37679a5ce73ee90a219f1d8ced76
                                                                                                                                                              • Opcode Fuzzy Hash: 2956477835a972206fb9c3f88ef69ee43266ff52dcc6f892cfb66c5422c3e46a
                                                                                                                                                              • Instruction Fuzzy Hash: 9DF09030500B058FD724DF22D408556BBF2FF88311700852EE84A8AB51DB74A44ACF85
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941BEE8 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: d907bf242df2044328913c5aeb7bc3b48f9033821a01a54aa1f55515791e6247
                                                                                                                                                              • Instruction ID: 551c4a5fd984cc943a516b8c836d75b39b3c9b3b63154f2defe7c2ff35c9c93c
                                                                                                                                                              • Opcode Fuzzy Hash: d907bf242df2044328913c5aeb7bc3b48f9033821a01a54aa1f55515791e6247
                                                                                                                                                              • Instruction Fuzzy Hash: 28E0D83530014CA7C6106A7AB80885BBB5FD7C8264710882AE91583342CEB54C0543B1
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09414140 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 6a26549b2feead96d61b4b9684625bf4f170fce4301a1a89fc919287948bfb65
                                                                                                                                                              • Instruction ID: d8bb3f6414ee34c0f86eeaa0df68afa57d55618d9f0fd63c971e52198ea82a55
                                                                                                                                                              • Opcode Fuzzy Hash: 6a26549b2feead96d61b4b9684625bf4f170fce4301a1a89fc919287948bfb65
                                                                                                                                                              • Instruction Fuzzy Hash: 33E065352007E48BC7209B2DE40865B7BE6EFC5215F04492ED1468B742DBB26805CBD6
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0A58FCD2 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.322595530.000000000A580000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A580000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_a580000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 64252b3d783c8a257531b53868ff136528fe2e3a31a31a71da093fee35ad0bec
                                                                                                                                                              • Instruction ID: 895eae4e1e8fbfdf9264ac3938997cd01ac6161f0e7b5fc91e852d40be35eb51
                                                                                                                                                              • Opcode Fuzzy Hash: 64252b3d783c8a257531b53868ff136528fe2e3a31a31a71da093fee35ad0bec
                                                                                                                                                              • Instruction Fuzzy Hash: 58F06D7491A288AFCF41DBB8E49969CBFB0FF0B211F2841DAD848D7292D6714A85CB41
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0A58F4F8 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.322595530.000000000A580000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A580000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_a580000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 16690e8f351ac8bbca1a0516fcf8bbbfc7d6a177f4ed02a9c394bdfc05303a7b
                                                                                                                                                              • Instruction ID: 02f4a5e1417574bf6ce89bb6aea7cbe6eb880e97c5325e1cff35883b8bbe20ea
                                                                                                                                                              • Opcode Fuzzy Hash: 16690e8f351ac8bbca1a0516fcf8bbbfc7d6a177f4ed02a9c394bdfc05303a7b
                                                                                                                                                              • Instruction Fuzzy Hash: 54F03970A142849FCB42DBB8A59569CBFF0BF4A204F2841DAD888D7252D6318958DB00
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09410471 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: cd7a1cf7043af186a50e85f08dbf8eae94f9c206aa39160dbe555855fd94ccb7
                                                                                                                                                              • Instruction ID: b6962acb709c51a77b43f2cfa89221af2c981d4b7b2b9868daeef05d13fc78c0
                                                                                                                                                              • Opcode Fuzzy Hash: cd7a1cf7043af186a50e85f08dbf8eae94f9c206aa39160dbe555855fd94ccb7
                                                                                                                                                              • Instruction Fuzzy Hash: 64E0A970509348CFDB20DFF4EA4629DBFB1AB81204B200AAAD004A7261DB354A91CB05
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941BE90 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 1a784e257e21059a0a94661bda0a12a0c57aecc4d2a483e9bc7d3f7e65f8d3ed
                                                                                                                                                              • Instruction ID: 18ca7f32c712fa6067ad280fa88bbb753b08aab069f867c2b148fb19f63bd804
                                                                                                                                                              • Opcode Fuzzy Hash: 1a784e257e21059a0a94661bda0a12a0c57aecc4d2a483e9bc7d3f7e65f8d3ed
                                                                                                                                                              • Instruction Fuzzy Hash: F1E09A34A0A3889FD766DF34A81A65A7FA1AF81214F19908ED4068F2A7C7B488818B51
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 094131C0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 8e6b7968e1bc3bce63077706ddc1d894cfc479e8c6c580be5105a3840f237d44
                                                                                                                                                              • Instruction ID: 594d26af90679a13a19e1d0a8a4d8349edc6c57163a2d0e32d6e72d71e1eb350
                                                                                                                                                              • Opcode Fuzzy Hash: 8e6b7968e1bc3bce63077706ddc1d894cfc479e8c6c580be5105a3840f237d44
                                                                                                                                                              • Instruction Fuzzy Hash: D3D05B35700154578625676DF4188AE7BAFDEC5671304042FE507CB242DF655C0547E6
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09410480 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 4887d4bc1827361aea3a7ca169ea82e891182b4d93a648b6bad34dfbc5566e5f
                                                                                                                                                              • Instruction ID: d37f36f3d3665f5d4a93395acd34255b8d92dfb98ec6cda4e07692d631d8735d
                                                                                                                                                              • Opcode Fuzzy Hash: 4887d4bc1827361aea3a7ca169ea82e891182b4d93a648b6bad34dfbc5566e5f
                                                                                                                                                              • Instruction Fuzzy Hash: 0FE04F7151120CDBCF20DFF8E94565EBBBAEB45205F6049A9D404A3240DB715A84CB55
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 094166A0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: ee4f0d98dc21ef9a70c809d26a37851577d29a248ae3a52692258f20588be8b5
                                                                                                                                                              • Instruction ID: eb7dc320a16126757b03d6eac97262bbaaf4746655f9ef38d6a7028853927364
                                                                                                                                                              • Opcode Fuzzy Hash: ee4f0d98dc21ef9a70c809d26a37851577d29a248ae3a52692258f20588be8b5
                                                                                                                                                              • Instruction Fuzzy Hash: E5E026359042698FF712CB34FC59C583B91FB803027154E4DD9528B2C2C3200C0243E1
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941DF98 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: df93ab450e6316cfcbc435e91773195faf5d4ebd466287dcba8862bd4fcf9ff7
                                                                                                                                                              • Instruction ID: 7dbfb6ada197b7c92093ded35a8fb0675d0ed9aa11e601d9ee7c8faabf09600d
                                                                                                                                                              • Opcode Fuzzy Hash: df93ab450e6316cfcbc435e91773195faf5d4ebd466287dcba8862bd4fcf9ff7
                                                                                                                                                              • Instruction Fuzzy Hash: 15E092B4D0420D9F8B94DFA9D4465BEBFF4AB48300F10816AE918E2240E6345A91CFD1
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 094178D8 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 5c2659cb6aeab5eb51328fc3ba9388b49897bf5f6c1e3ab90dcf83c687872292
                                                                                                                                                              • Instruction ID: 7a2a9320fbde2f0657d85f86aa00679d908d3a5c530079d557a2973385607472
                                                                                                                                                              • Opcode Fuzzy Hash: 5c2659cb6aeab5eb51328fc3ba9388b49897bf5f6c1e3ab90dcf83c687872292
                                                                                                                                                              • Instruction Fuzzy Hash: 56D05E2170D2D00F8202637DBC3446A6FA5AACB59270901EFE6D5CB3D3C95048058391
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0A58FCE0 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.322595530.000000000A580000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A580000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_a580000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: fe7d3500f3a5c5ca49670c3b64754648ef33479f60d849fcfbe5679f360b8d74
                                                                                                                                                              • Instruction ID: cbca498e357d7e9be568980b7212cba34911219fd012ef45480bdc0216493817
                                                                                                                                                              • Opcode Fuzzy Hash: fe7d3500f3a5c5ca49670c3b64754648ef33479f60d849fcfbe5679f360b8d74
                                                                                                                                                              • Instruction Fuzzy Hash: 83E0EC74910208EFCB40EFA8E54965DBFF4FB08311F2041AADC08D3340E7709A84CB91
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0A58F508 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.322595530.000000000A580000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A580000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_a580000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 69239c69e77cab50573cbeba4ab4881b6ea388781cd63f4abbeafcb811b01e9f
                                                                                                                                                              • Instruction ID: d34605d44101da6766ce617eb321bd89b5bdc4d987132e30e98bce4c3d4f54f1
                                                                                                                                                              • Opcode Fuzzy Hash: 69239c69e77cab50573cbeba4ab4881b6ea388781cd63f4abbeafcb811b01e9f
                                                                                                                                                              • Instruction Fuzzy Hash: 5BE0B6B49102089FCB40EFA8E54965DBFF4BB08205F2441A9D808A3340E7309A54CB41
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09410439 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 5158f40cb97fe566c17b6395a2183db2527eebf87abd8285ee177af8b4b4dff6
                                                                                                                                                              • Instruction ID: 3f913c17e7140e8ef7ef643915496628434939059bd30892004e7990c479154b
                                                                                                                                                              • Opcode Fuzzy Hash: 5158f40cb97fe566c17b6395a2183db2527eebf87abd8285ee177af8b4b4dff6
                                                                                                                                                              • Instruction Fuzzy Hash: 44D0A7718163445BE7115FE0BA467353F30FF43305F28178AE84856282DF308550C314
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09410448 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 891d17ea6d06e8638e805c6b3fcd56b23d2f5baf2ed7bb30eec28283abc2e848
                                                                                                                                                              • Instruction ID: 2d7c5c1cb6ef95910ca8c7ac193d3b365291a7c17332da8cf5fa3a39307b23d1
                                                                                                                                                              • Opcode Fuzzy Hash: 891d17ea6d06e8638e805c6b3fcd56b23d2f5baf2ed7bb30eec28283abc2e848
                                                                                                                                                              • Instruction Fuzzy Hash: 78C012704212089BDA109EA9B44973A7F68EB03301F501659E408522409B7144808569
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 0941B241 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: ded433676d50f3872ec29ed49d2b2b8a55b0f17e61a8bae199429d597cc11d3e
                                                                                                                                                              • Instruction ID: 4219626bf3c30065f803675b5dd0cf518156fb621e28086f5444c3c20d7c5f22
                                                                                                                                                              • Opcode Fuzzy Hash: ded433676d50f3872ec29ed49d2b2b8a55b0f17e61a8bae199429d597cc11d3e
                                                                                                                                                              • Instruction Fuzzy Hash: AEC0922049A2826FEF0657B26C260C03F70AA5261032647A1D082C7162C19DE88B9AB2
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                              Function 09417D29 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000002.00000002.319446923.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_2_2_9410000_AppLaunch.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: e18f27026447b8897cccc6e2efaf1c1c7852bf2864d6ef5217f328020be273e7
                                                                                                                                                              • Instruction ID: b86225a0961faadb6aafda29bb807cfbea74933e8210fb4c12e704223f97df13
                                                                                                                                                              • Opcode Fuzzy Hash: e18f27026447b8897cccc6e2efaf1c1c7852bf2864d6ef5217f328020be273e7
                                                                                                                                                              • Instruction Fuzzy Hash: FFB0127695C038479A049394BD506D8B625D9242A77C4835F854DC8FB49710801005E8
                                                                                                                                                              Uniqueness

                                                                                                                                                              Uniqueness Score: -1.00%